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Abstract 


The culture, design, and operation of the maritime industry all contribute to create an error- 
inducing system. As oil tankers have become larger, the tolerance for error has decreased as 
the consequences have increased. Highly visible oil spills have made society more aware of the 
dangers inherent with transporting oil at sea. Tankers are the largest contributor by vessel type 
to worldwide oil spill volume. 


Human error has consistently been attributed to 80 percent of the marine accidents, a closer 
look reveals that many accidents attributed to human error are system errors. In fact, the term 
human error is unwarranted in many high-risk accidents and its use is a pejoration of the con- 
text. It points more to the action as an independent clause, rather than the context in which the 
action takes place. 


The maritime industry has been identified as a high risk operation, requiring an active risk man- 
agement program. Yet, to effect the appropriate risk management program, there must be an 
appreciation for the risk at hand. A probabilistic risk assessment (PRA) provides a formal 
process of determining the full range of possible adverse occurrences, probabilities, and ex- 
pected costs for any undesirable event. A PRA can identify those areas that offer the greatest 
risk-reducing potential. 


This thesis focuses on the first level of a proposed three-level risk model to determine the 
probability of a tanker grounding. The approach utilizes fault trees and event trees and incor- 
porates The Human Error Rate Prediction data to quantify individual errors. The result allows 
the identification of high-leverage factors in order to determine the most effective and efficient 
use of resources to reduce the probability of grounding; showing that the development of the 
Electronic Chart Display and Information System incorporated with the International Safety 
Management Code can significantly reduce the probability of grounding. 


Thesis Supervisor: | Alan Brown 
Title: Professor of Naval Architecture 
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Chapter 1 Introduction 


1.1 The Motivation 


Maritime oil spills are a significant international environmental problem. The culture, 
design, and operation of the maritime industry all contribute to create an error-inducing system 
[42].' Too often the consequence of these errors is the release of oil into the world’s water- 
ways. Oil spills have the capacity to evoke strong public reactions because of their potential 
environmental, economic and health impacts. Oil is an amalgam of thousands of chemicals, 
and each chemical affects the marine environment in a different way [14]. The environment 
itself lends uncertainty into any chemical’s effect. Wind, waves, current, temperature, and 
sunlight, all affect the ability of the oil to disperse, dissolve, and biodegrade [14]. Once an oil 
spill has occurred, the typical recovery rate is a modest 10 to 15 percent of the spilled oil [39]. 
Since oil spills are low probability-high consequence events that are, by nature, difficult to 
predict [66], prevention is the best response. It is the risk of an oil spill that motivates further 
investigation. A formal risk analysis is an important step toward prevention. 

Tankers are the largest contributor by vessel type to worldwide oil spill volume. From 
1986 to 1994, tankship spills accounted for 60 percent of the oil spilled from maritime sources 


(Figure 1-1) [8]. 
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Figure 1-1: Maritime Oil Spill Volume by Vessel Service 


1 « The [system] configuration of its many components induces errors and defeats attempts at error reduction. 
Discrete attempts to correct this or that will be defeated by something else; only a wholesale reconfiguration 
could make the parts fit together in an error-neutral or error-avoiding manner [42].” 
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An analysis of the claims against the United Kingdom Protection and Indemnity (UK P&I) 
Club in 1993 shows that tankers accounted for approximately half of total pollution claims 
[36]. 

According to the National Research Council (NRC), tanker groundings are a significant 
cause of oil spills (Figure 1-2) [36]. Globally, groundings represented 20 percent of all the 
tanker losses between 1987 and 1991 [59]. From 1981 and 1990, groundings represented 45 
percent of the major spill volume in U.S. waters [29]. Therefore, groundings present a signifi- 
cant spill classification to investigate in order to understand how to minimize oil pollution and 
they will be the primary focus of this thesis. 


Percent 








Collision Grounding Fire/Explosion Structural/Hull 


Figure 1-2: Major Tanker Oil Spills and Causes 


The maritime industry has been identified as a high risk operation, requiring an active 
risk management program.” The U.S. Coast Guard (USCG) has expressed a commitment to 
reduce the risks of the maritime industry. There have been a number of major tanker owners 
who have expressed the same commitment of cooperation with the USCG [8]. Rear Admiral 
Card (Chief, Office of Marine Safety, Security, and Environmental Protection, USCG), has 
entrusted both industry and the USCG to make “prevention a strategic concept.” Yet, to ef- 
fect the appropriate risk management program, there must be an appreciation for the risk at 
hand. 

While the possibility of an oil spill provides the impetus to investigate groundings, it 
must be remembered that the magnitude of oil outflow is a function of many unpredictable cir- 


? Based on roundtable discussion at the High Consequence Operations Safety Symposium, Sandia National 
Laboratories, Albuquerque, New Mexico, July 1984. Other industries identified include: nuclear power gen- 
eration; nuclear weapons assembly, storage, and disassembly; commercial aviation; chemical and petroleum 
processing. 
3 Card, J.C. Speech, Training and the Human Element in Accident Prevention Conference, The Center for 
Maritime Education, Seamen’s Church Institute of New York and New Jersey, October, 11 1995. 

9 








cumstances. There can be groundings that are preceded by marked and profound blunders, 
yet, the degree of oil spilled may be negligible. So while limiting oil outflow motivates the in- 
vestigation of groundings, the scope is much broader and concerns itself with the nature of the 
events leading to the vessel’s grounding. Hence, the ultimate goal is to understand the nature 
of the errors that lead to a grounding. Once understood, the proper policy and technology can 
be implemented to reduce groundings and serve to make the maritime industry safer in all re- 
spects. 


1.2 The Approach 


To understand the mechanisms that lead to a tanker grounding, there must be a sys- 
tematic approach. Probabilistic risk assessment (PRA) techniques provide a systematic process 
to follow that can give a better understanding of the accident mechanisms that lead to a tanker 
grounding. 

The PRA provides a formal process of determining the full range of possible adverse 
occurrences, probabilities, and expected costs for any undesirable event. It is a technique for 
identifying, characterizing, quantifying, and evaluating hazards [33]. Additionally, it can iden- 
tify those areas that offer the greatest risk-reducing potential. Once the components with the 
greatest risk-reducing potential are identified, appropriate technology and management 
schemes can be developed to properly influence risk reduction. 

Figure 1-3 shows a proposed risk model fore the tanker industry [1]. This model out- 
lines three levels of assessment for developing an overall risk assessment. 


Level 1 Level 2 Level 3 Result 


P(damage) —-P(outflowjdamage) P(impactfoutfiow) _ P(impact) 


u 3 : 4 
IDENTIFICATION OF DISTRIBUTION 
SYSTEM FAILURES OIL OUTFLOW OF OIL IN THE 

AND SEQUENCES ENVIRONMENT 





Figure 1-3: Risk Model 
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Level 1: Develop a probability of damage and the extent to the ship as the it responds to an 
initiating event: P(damage extent). 


Level 2: Given that an extent of damage has occurred, what is the probability that oil will 
outflow to the environment: P(outflow|damage extent). 


Level 3: Given that oil is released to the environment, what is the probability of conse- 
quences to the environment: P(impactloutflow). 


Result: The probability of oil pollution producing adverse economic and environmental con- 
sequences: 
P(impact) = P(damage extent) x P(outflow|damage extent) x P(impact|outflow) 


Previous work has concentrated on the grounding problem, specifically, identifying the 
system failures in level 1 [1]. This thesis will concentrate on the level 1 analysis for ground- 
ings by identifying the error sequences and identifying the error probabilities to determine the 
probability of grounding for a tanker. 


1.3 Discussion 


Many accident studies have been limited to the place where the accident occurred and 
limited to a small period of time preceding the accident [20]. The results have typically been 
interpreted as some form of carelessness on behalf of the individuals [52]. Traditional reac- 
tions to maritime accidents, which have been labeled as being primarily caused by human error, 
have led to the study of mariner skills and responses. As a result, punitive measures have been 
implemented to deter unsafe practices. 

The risks involved with the maritime industry, and more specifically, the tanker indus- 
try, need to be better understood. Placing blame on the front-line operators and installing a 
punitive model is short-sighted. There needs to be a systematic approach to understand, iden- 
tify, and minimize the risks. Once the risks are understood, and consideration is made of all 
the issues, the components of the system, and their synergism, the proper framework can be 
developed which addresses a wholesale solution rather than discrete problems. 

An understanding of the nature of the risks involved can be an impetus for cultural 
change throughout the maritime industry--yielding a balanced approach to managing safety 
performance. The goal is to have safe and profitable operations balanced by the interaction of 
management, the work environment, human behavior, and technology, all supported on a firm 
foundation of sound rules, regulations, and standards [8]. 

The culture, design, and operation of the maritime industry all contribute to create an 
error-inducing system [42]. While risk acceptance and risky behavior are often attributed to 
the “traditions of the sea” [42], the risks associated with sea transportation are no longer re- 
stricted to the domain of the seafarer.* Accidents such as the Exxon Valdez, Braer, and the 


4 The etymology of risk offers some insight. Derived from the Latin, risicum, it is the challenge presented by a 


barrier reef to a sailor. 
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more recent Sea Empress groundings have broadened the arena of active involvement. As oil 
tankers have gotten larger, the tolerance for error has decreased as the consequences have in- 
creased. However, society’s concerns are not as much about the proportionate increase in 
tanker size, as the disproportionate increase in the potential environmental impact [52]. While 
the tanker industry has been identified by the USCG has a high-risk industry, the USCG has 
also stated that the industry has a high potential for improvement [8]. 

The nature, magnitude, and importance of the risks and associated consequences of sea 
transportation of petroleum products requires a common knowledge of all the concerned par- 
ties. Hence, a systematic approach must be undertaken to effectively communicate the risks 
and consequences so that they can be minimized by the appropriate safety measures. The PRA 
offers that total systems approach 


1.4 Outline 


Chapter 2 presents an evaluation of the nature of oil spills, the grounding problem and 
the associated difficulties of existing databases. Chapter 3 presents the level 1 risk assessment 
methodology to be utilized. Since the human contribution to failure is significant, a review of 
contemporary human failure theory is necessary to understand the underlying implications of 
human behavior and cognitive engineering on the performance of tankers. Chapter 4 looks at 
the theory of human failure analysis. Chapter 5 then outlines the methodology required to 
quantify the human related failure probabilities. Chapter 6 provides the rationale for the failure 
sequence development and assigns probabilities to determine the probability of grounding. In 
conclusion, chapter 7 evaluates the results and offers some recommendations. 
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Chapter 2 The Nature of the Problem 


2.1 The Tanker Problem 


The international sea trade, and the tanker industry in particular, have been operating in 
a volatile market since the global recession of the 1980’s. The tanker industry is prone to 
oversupply [57]. The seemingly erratic nature of freight rates and the potential for large capi- 
tal appreciation when the freight rates soar, provides an inherent optimism within the industry. 
The availability of financing and government subsidies minimize barriers into the industry and 
fuel optimism. The tanker market has been described as being close to a perfectly competitive 
market [57]. However, the market is highly fragmented, as such, shipping companies do not 
exercise pricing power and they tend to accept whatever freight rates the market will bear-- 
even below the break-even point [57]. Therefore, readily available financing and over opti- 
mism keeps an over supply of tankers competing for below cost freight rates providing an im- 
petus to the ship owner to reduces costs where ever possible. As a result, open registry coun- 
tries continue to attract a major portion of the tanker fleet. By registering a vessel under a 
“flag of convenience” (FOC), shipowners are able to incur the benefits of tax allowances, the 
freedom to crew ships with low-wage labor, and often, less stringent vessel classification and 
inspection rules [43]. 

The principal countries offering flags of convenience are summarized in Table 2-1. 
These five FOC s represent nearly 40 percent of the worlds tanker tonnage [63]. 


Table 2 - 1: Registered Tonnage (vessels greater than 1000 dwt) in Principal FOCs 
(Status: December 31, 1993) 


Country Tanker Total Share of Tonnage Owned 
Tonnage Tonnage by Nationals in the Total 
1000 dwt 1000 dwt Register Fleet (% 


[Liberia | 49,030 | 88,354 | 
[Panama | 32,857 | 82,992, | 0. 
VE 

; 
ee. 











Bahamas 17,913 33,062 
Bermuda CREE) 5,098 


According to the UK P&I club, Panama and Cyprus stand out for having a significant 
number of claims for structural failures compared to the number of ships registered under the 
respective flags [60]. Furthermore, Panama’s poor performance as a flag state is indicated by 
the fact that over a third of the global tonnage lost in 1992 flew the Panamanian flag [25]. 
Table 2-2 [25] shows the number of vessel losses and the total gross tonnage lost for these 


FOCs. 
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Table 2 - 2: Number of Losses and Gross Tonnage Lost from 1988 - 
1992 (Vessels > 500 gross tons) 


Number of Losses 
751,792 
[Cyprus | 50 655,989 


Along with the trend of outflagging vessels, there has been a demonstrated change in 
the way many ships are managed. More shipowners are passing their responsibility for asset 
marketing and operations to professional ship management organizations. These organizations 
are typically private companies that are not involved with ownership but engage in managing 
vessels on a contractual basis to secure the best rate of return on the shipowner’s investment 
[43]. In addition to third party management, mortgage banks are typically involved, having 
proprietary rights to vessels [43].° 

As a result of registering vessels under FOCs and utilizing third party management, it is 
often difficult to determine accountability should a mishap occur. 

Another cost-cutting strategy adopted by shipowners is to extend the life of their ves- 
sels. Consequently, the age of the tanker fleet is growing. Before 1980, the average age of a 
tanker to be scrapped was 15 years [43]. In 1993, the average age of the active tanker fleet 
was 16.9 years [63]. It is expected that the average tanker age will increase by 5 percent per 
year [43]. While it is difficult to attribute accident causality directly to tanker age, there are 
some alarming statistics. For example, 99 percent of the tanker losses in 1992 involved ships 
which were at least 17 years old [25]. Figure 2-1 [25] shows the distribution of tanker losses 
by age between 1988 and 1992. 






Distribution of Tanker Losses Between Age of Ships by Gross Tonnage 





Figure 2 - 1: Distribution of Tanker Losses by Years of Age by Gross Tonnage (1988 - 1992) 


> The whole issue is exacerbated by subsidies to encourage shipbuilding, banks willing to lend based on gov- 

ernment guarantees, and shipowners willing to gamble on the next big boon. The result is an over-tonnage of 

vessels and consequential bankruptcies. 
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Those tankers greater than 15 years old represent 64 percent of all tanker losses by gross ton- 
nage. 

The trend for older tankers to represent a greater proportion of all losses has been 
consistent. Figure 2-2 [25] compares the number of tanker losses by age for the years 1982 
and 1992. 


Number of Tanker Losses by Age 


10-14 15-19 
Age (years) 





Figure 2-2; Number of Tanker Losses by Age ( 1982 and 1992) 


Claims against the UK P&I Club for structural or pollution damage tend to give the same dis- 
tribution with age [60]. 

Ship structures deteriorate with time and the deterioration accelerates in the absence of 
proper maintenance. If maintenance expenditures are reduced and maintenance intervals ex- 
tended to further cut costs, then accident intervals will increase. Commercial pressures have 
induced masters to exceed reasonable loading practices and to operate ships beyond design 
limits. 

Many vessels are manned by low-wage personnel from developing countries. Often 
these crews are not qualified. It is not unreasonable to find a 20 year old tanker registered un- 
der a FOC, with third party management, classed by a less than scrupulous classification soci- 
ety, implementing poor maintenance procedures done by unqualified low-wage personnel and 
supervised by officers speaking a different language from the crew. 

There are attempts to impede the unscrupulous ship owner. The International Asso- 
ciation of Classification Societies (IACS), has been formed to consolidate the group of repu- 
table classification societies. Port State controls have been implemented to help identify sub- 
standard tankers. Yet, there still exists a large contingency of sub-standard vessels. 
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2.2 Oil Spill Data 


The International Tanker Owners Pollution Federation maintains a database of oil spills 
from tankers, combined carriers, and barges. Data is based on spills over 7 metric tons. Esti- 
mates of the amount of oil spilled into the marine environment for each year between 1970 and 
1994 are shown in Figure 2-3 [I2]. 


Estimated Annual Oil Spilled 
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Figure 2 - 3; Estimated Annual World Wide Oil Spilled 


Most spills however, are small, and international data for small spills is either incom- 
plete or unreliable. It has been suggested that the contribution of small spills to the total 
amount of oil entering the oceans from the tanker industry is small. However, a review of the 
domestic data tells a different story. The USCG’s data base tracks spills in U.S. waters and 
spills abroad from U.S. flagged ships. The distribution of oil spills from major (> 10,000 gal- 
lons), medium (1,000 - 10,000 gallons), and small (<1,000 gallons) spills is shown in Figure 2- 
4° Small spills represent anywhere from 4 to 32 percent of the total volume spilled. 

While the distribution shows that the medium and small spills have varied significantly 
as a percentage of total amount spilled, Figure 2-5 shows that the volume of oil from small 
spills has remained relatively constant. 

It may be argued that major spills have been reduced in recent years; however, data 
suggests that the volume of spills from small and medium spills have remained relatively con- 
stant. The data from the USCG suggests that small and medium spills represent a significant 
percentage of the total volume spilled. In fact, since 1991, the USCG’s database shows that 
small and medium spills account for more oil pollution than large spills. 


© One metric ton equals 2,205 pounds, or 7.33 barrels, or 308 gallons (based on average Arabian Light 33.50 


API gravity). 
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In summary, it remains a difficult task to estimate worldwide spill volumes. Globally, 
data for spills is collected only for large spills. Yet, in the U.S. small and medium spills offer a 
significant contribution. It could be conjectured that this pattern is applicable on a global scale. 


Distribution Of Major, Medium and Small Oil Spills 


Percentage 








Figure 2 - 4: Distribution of Spills in U.S. Waters and U.S. Flagged Vessels 


Volume of Oil Spilled from Medium and Small Spills 


mw Medium 
Small 





Figure 2 - 5: Volume of Oil Spilled from Major and Small Spills in U.S. 
Waters and by U.S. Flagged Vessels 


Given the difficulty in determining spill volumes, it is just as difficult to determine any 
absolutes from trend analysis of the oil spill statistics. Peaks in Figure 2-3 are dominated by a 
few very large spills. Table 2-3 [12] shows the volume from a selection of major oil spills. 
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Table 2 - 3: Selected Major Oil Spills 


millions of gallons 
[1979 | Atlantic Empress _| 86 
1983 
| 1991 | ABT Summer | 80 


Nearly half of the total spill volume in 1994 is a result of the Braer. Furthermore, since 1985, 
10 spills account for 74 percent of all the major spill incidents by volume [12]. 

Highly visible oil spills have made society more aware of the potential dangers inherent 
with transporting oil at sea. Yet, the general public is oblivious to many significant spills. Ta- 
ble 2-4 lists the five largest spills world-wide for years 1993 and 1994. 






Table 2 - 4: Five Largest Tanker Spills 1993-1994 


2. a 
millions of gallons 

10/21/94 | ThanassisA.__({|__———iAN_—__| South China Sea, 400 mi off Hong Kong | 

13/13/94 | Nassia = =—r | ld Entrance to Bosporus Strait, Turke 


While many of these spills have escaped scrutiny by society at large, they represent a significant 


potential threat to the marine environment. 
Major spills seem to occur erratically. The clustering of events in a randomly generated 


sequence of events is expected. A sequence of events in the U.S., initiated by the Exxon Val- 
dez, led to the Oil Pollution Act of 1990 (OPA 90). While spills in U.S. waters have decreased 
significantly since implementing this legislation, the question remains: Has OPA 90 been effec- 
tive in reducing oil spills? “One of the problems with randomly occurring processes is, that 
measures, whatever they are, are sometimes seen to be effective” [20]. The fundamental ques- 
tion to be asked is: “How much of the process is random and how much is systematic” [20]? 
Until there is a better understanding of the accident mechanisms, any attempts to minimize 
their occurrences are reactionary with questionable effectiveness. 
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2.3 Summary 


Oil tankers represent 38 percent of the world’s fleet by tonnage [63].’ Nearly half of 
all the seaborne trade is involved with the transportation of crude oil and other petroleum 
products [63]. Figure 2-6 [63] shows the distribution of seaborne trade between the primary 
cargoes. The distribution of cargoes that comprise this trade is telling, in terms of the nature 
of the risk of an oil spill [52]. 
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Figure 2 -6: World Seaborne Trade by Types of Cargo 


It is difficult to estimate the total amount of petroleum hydrocarbons entering the 
world’s oceans. However, tanker spills appear to represent a significant contribution of all of 
the petroleum hydrocarbons introduced into the marine environment. Even though estimates 
show that the contribution has decreased by nearly 70 percent, it is difficult to determine if the 
trend is from initiatives implemented by tanker owners, oil companies and regulatory bodies. 
The erratic nature of major accidents implies a randomness, and the clustering of random 
events is expected. To be able to understand the data, there must be a fundamental under- 
standing of the accident mechanisms which result in oil spills. The nature of oil spills can be 


7 At the end of 1993, the oil tanker fleet represented 271,222,000 dwt, 38.2 percent of the world’s fleet by dwt 
[63]. 
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better understood through a systematic analysis. Only then can the systematic causes be fil- 
tered from the apparent randomness and properly addressed. 

Certain FOCs have a demonstrated poor accident performance. The fact of an owner 
choosing a particular flag does not give any reason to assume that the owner is seeking to 
lower his own standards through using a flag of poor performance. However, an owner who is 
not fully committed to quality is likely to be attracted by such flags [60]. 

The NRC found that for tankers over 10,000 dwt, grounding events dominate in terms 
of both numbers of accidents and the volume spilled [36]. It can be inferred that the primary 
reason for a grounding is an improper human response to an indication [1]. In essence, human 
failures prevail as the predominate factors in grounding accidents. Human error has consis- 
tently been attributed to 80 percent of marine casualties [38]. To be able to identify and 
quantify the human related errors involved with the groundings, there must be a thorough un- 
derstanding of human reliability and human factors to minimize the myopic condemnation of 
front-line operators. 
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Chapter 3 Risk Assessment 


3.1 The Probabilistic Risk Assessment 


Marine transportation operations are high risk and require an active risk management 
program. Even though the ratio of oil spilled to oil transported is extremely small, there is 
plenty of room for improvement. Hence, there is a need for a systematic approach to deter- 
mine the risks involved with transporting oil at sea. What is more important, is the need to 
determine the risk reducing potential. By identifying those areas with high potential for reduc- 
tion, limited economic resources can be utilized more effectively. There is momentum in the 
industry for change, and the outlined systematic approach offered by a PRA yields the areas of 
change to which the industry can focus. 

The PRA is a natural tool to assist in risk management decision making to prevent oil 
spills [55]. It provides a formal process of determining the full range of possible adverse oc- 
currences, probabilities, and expected costs for any undesirable event. The PRA is a technique 
for identifying, characterizing, quantifying, and evaluating hazards [33]. In addition, it can 
identify those areas that offer the greatest risk-reducing potential. Once the components with 
the greatest risk-reducing potential are identified, appropriate technology and management 
schemes can properly influence risk reduction. 

The approach to be undertaken has matured in the nuclear industry. The nuclear indus- 
try has committed a great deal of time and effort in the study of cognitive engineering to 
minimize the probability of high consequence accidents. Many of the issues undertaken in the 
nuclear industry are germane to the oil tanker industry. Nuclear power stations and oil tankers 
generate public anxieties when operated close to population centers and they are targets of 
environmental lobbies in the aftermath of an accident [53]. Additionally, both operate in an 
environment where it is often difficult to quantitatively ascertain the effects that all the influenc- 
ing variables have on operational safety [53]. Given the similarities, it is the intent of this proj- 
ect to take the risk assessment methodology that is firmly established in the nuclear industry 
and apply it to the maritime industry. 

The proposed risk model (Figure 1-3) outlines three levels of assessment that will lead 
to the ultimate probability of oil pollution producing an impact. This thesis will concentrate on 
one aspect of a level 1 analysis--tanker groundings. 

The approach has its foundations in the risk model and the event tree/fault tree meth- 
odology. The event tree/fault tree approach employs discrete logic diagrams to explicitly show 
the causal relationships within the system model to determine the probability of the accident 
scenarios. The methodology is widely used in technological systems applications [55], but it is 
also routinely performed to determine human reliability [17]. Since humans have been directly 
attributed to over 80 percent of maritime casualties [38], it seems important to utilize a method 
that is consistent with both the technical and the human aspects of the system. 
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3.2 Fault Trees 


Complex systems that have multiple failure modes with physical and operational inter- 
actions lend themselves to fault tree analysis, especially if the role of humans in the operation 
needs to be modeled [33]. 

A fault tree is a graphical display to show how basic component failures can lead to a 
pre-determined system failure state. In constructing a fault tree, one starts with a particular 
failure or undesired event and deductively works backwards to explore all the combinations of 
events that may lead to that particular failure. The reasoning used to build a fault tree for a 
system requires an understanding of the system and it’s intended use. At each reduction stage 
of the fault tree, the general causes for the undesirable top event must be determined in as 
broad of terms as possible. By being as general as possible at each reduction stage, it is more 
likely that all possible combinations of events may be taken into account. “Elegant simplicity 
instead of unnecessary complexity is to be encouraged” [3]. 

A minimum cut set is defined as a minimal set of system components such that if all the 
components fail, system failure results, but if any one component has not failed, no system fail- 
ure results [44]. Once the system is depicted in a logic diagram, the minimum cut sets can be 
determined. When the minimum cut sets are identified, the appropriate probabilities can be as- 
signed and the probability of the top event can be calculated. 

The fundamental building blocks of fault trees are the AND-gate and the OR-gate 


(Figure 3-1). 


AND-gate 
C=A AND B 
AND 
Output occurs if and only if all input events occur 
C=A+B 
OR-gate 
C=A ORB 
Output occurs if one or more input events occur 
A) (8 


Figure 3 - 1: AND-gate and OR-gate 


An AND operation requires that all the input faults occur for the output fault to occur. 
The AND operation corresponds to the intersection operation in set theory. An OR operation 


paps 








requires that only one input fault occur for the output fault to occur. The OR operation corre- 
sponds to the union operation in set theory. Additional notation used for fault trees are de- 


scribed in Figure 3-2. 
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3.2.1 Fault Tree Evaluation 


RECTANGLE 

The rectangle identifies an event that results from 
the combination of fault events through the input 
logic gate. 

CIRCLE 

The circle describes a basic fault event that requires 
no further development. 


TRIANGLE 


The triangle is used as a transfer symbol. 


DIAMOND 


The diamond describes an event that is not 
developed further because the event is of insufficient 
consequence or the necessary information is not 
available 


Figure 3-2: Fault Tree Symbolism 


The fault tree, although qualitative in nature, provides the framework for a quantitative 
evaluation [45]. Evaluation of a fault tree typically involves a top-down successive substitu- 
tion process invoking Boolean identities. The goal is to represent the fault tree by a reduced 
form Boolean expression. The reduced expression then represents the minimal cut sets. 

Consider the fault tree in Figure 3-3. For the top event E, there are: 


-Three intermediate events: El, E2, and E3. 


-Six basic events: A, B, C, D, E, and F. 


z3 











Figure 3 - 3: Example Fault Tree 


The expression for the top event E, is given by: 
E = (E1*C*E2) 
= (A+B)* C* (D+E3) 
= (A+B)*C*(D+(E* FP) (3-1) 


If all the basic events are independent of each other, then the probability of the top event E is 
given as: 


P(E) = [P(A) + PB) - P(A * B)] * [P(C)] * [P(D) + PE * F) - PD * E* FP) (3-2) 


Basic properties, rules of probability and Boolean identities are provided in Appendix 
A. 

There are limitations to the fault tree approach that must be recognized. Primarily, the 
limitations involve the completeness, the adequacy of the data, and the binary nature of the 
fault tree. Any quantification of the fault tree is constrained by these areas [45]. 
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3.3 Event Trees 


Event trees are used to display the results of a task analysis. The complete event- 
space, consisting of possible events in a system is represented pictorially. The tasks are made 
up of fundamental events. As the event is carried out, it is completed either successfully or 
unsuccessfully. Each limb of the tree represents a binary process and is annotated with the 
probability of success or failure. Refer to Figure 3-4. As the event tree progresses from left to 
right, each event 1s considered in a binary state, that is, it ether succeeds or fails. Each success 
limb moves up, while each failure limb moves down. Recall that the basic properties and rules 
of probability are provided in Appendix A. 


3.3.1 Event Tree Evaluation 


For some initiating event A (Figure 3-4), there is a corresponding probability of suc- 
cessful completion or failure: 


Ps(A) = probability of successful performance of task A (3-3) 


Pf(A) = probability of unsuccessful performance of task A (3-4) 


Given the two outcomes of event A, event B can then either be performed successfully or un- 
successfully: 


Ps(B) = probability of successful completion of event B (3-5) 


Pf(B) = probability of unsuccessful completion of event B (3-6) 
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INNITIATING EVENT EVENT OUTCOME 
EVENT A B 









SUCCESS 





FAILURE 







FAILURE 





FAILURE 






Figure 3-4: Event Tree Diagram 


The probability of successfully completing this task is then computed by multiplying the 
probabilities of occurrence of each of the events that constitutes the success path:* 


P(S) = the probability of successful completion of the task 
= Ps(A)*Ps(B) (3-7) 


P(F) = _ the probability of unsuccessful completion of the task 
= 1-P(S) (3-8) 


This use of event trees to model performance reliability assumes that each path is mu- 
tually exclusive and the system can be modeled with sequential logic. 

The use of event trees can become unwieldy as the number of events increases. For 7 
events, there are 2” possible paths. To reduce the number of paths, the events can be deduced 
such that irrespective of subsequent events, success or failure remains constant. Consider a 
four event system consisting of events A, B, C and D. For this system, if event A is successful, 
then regardless of events B, C, and D, the system will succeed. Similarly, if event B is unsuc- 
cessful, then regardless of events C and D, the system will fail. Following this line of reason- 


® It must be emphasized that this method assumes that the event probabilities are independent. 
26 








ing, where the outcome of subsequent events is inconsequential to the state of the system, then 
that leg need not be further developed. The event tree can be reduced to five paths instead of 
16. Refer to Figure 3-5. 


INNITIATING EVENT EVENT EVENT jEVENT OUTCOME 
EVENT A B Cc D 


SUCCESS 


FAILURE 


FAILURE 





Figure 3-5: Reduced Event Tree 


For the system in Figure 3-5, system reliability can be calculated as follows: 


P(S) = Ps(A) + (Pf(A) * Ps(B)*Ps(C)) + (PICA) * Ps(B) * Pf(C) * Ps(D)) (3-9) 
P(F) = (Pf(A) * Ps(B) * Pf(C) * Pf(D)) + (PF(A) * Pf(B)) (3-10) 


P(S) =1-P®) (3-11) 


3.4 The Grounding Fault Tree 


A fault tree for tanker groundings has been previously developed (Figure 3-6) [1]. By 
expounding on these concepts, the fault tree will be verified and those fundamental items of the 
fault tree will be further investigated. Event trees will be developed to assist in assigning prob- 
ability values. Appendix B is provided to give the rationale used in developing the grounding 
fault tree. 
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3.5 Summary 


The maritime culture, economics, and regulatory bodies all contribute to create a sys- 
tem that can be characterized as error-inducing. There has been little effort to characterize the 
system as a whole and to determine the areas that offer the greatest potential for risk reduc- 
tion. The NRC has determined that maritime safety as a whole, could benefit from the in- 
creased use of quantitative and qualitative risk analysis to develop risk reduction strategies 
[35]. 

The outlined approach has its foundations in the risk model and the event tree/fault tree 
methodology. Siu ef al. [55], have argued that the event tree/fault tree approach provides a 
natural framework for treating oil spill scenarios. 

When developing a PRA for oil spills it is important to recognize the areas of uncer- 
tainty. The PRA is a discrete analysis. Therefore, it is unable to account for the infinite num- 
ber of possibilities. Ideally, a PRA considers all the important aspects that lead to the unde- 
sired event, but there is the possibility that important contributions have been overlooked. 
Additionally, there are uncertainties due to the necessary approximations made in developing 
the model. Human failure factors, system complexity, and the subjective nature of the analysis, 
all present uncertainties that must be recognized. Despite the uncertainties, it is important to 
develop a PRA so that perceived risk does not produce either irrational behavior or reflex re- 
actions. The performance of a PRA reduces the uncertainty concerning some of the elements 
of risk so that resources can be better allocated. 

The performance of a risk analysis of and by itself can reduce risk as knowledge and 
awareness are gained [12]. Additionally, if the process of risk assessment is dynamic, the un- 
certainties can diminish with time as more knowledge is gained. Once the PRA is completed, 
allocating resources in the areas that are risk relevant, rather than trying to alleviate all con- 
ceivable hazards, allows for realizable risk reductions with limited resources. 
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Chapter 4 The Human Problem 


4.1 The Importance of the Human Problem 


The first step of a PRA is to identify system failures and sequences. The fault tree for 
tanker groundings was developed to determine the basic failures. The bottom layer of the fault 
tree describes the fundamental causes for tanker groundings. Qualitatively, human failure and 
individual error are significant in the progression of events leading to a tanker grounding. 
Therefore, to minimize the probability of failure, the human contribution must play an integral 
role in the PRA. 


4.1 The Historical Pervasiveness 


The failure of humans has long been recognized to have a substantial impact on the re- 
liability of complex systems [33]. The pervasiveness of human failure in the maritime industry 
has been recognized for a number of years. Human failure is a problem that must be addressed 
to effect any changes to the system. 

In 1972, the chairman of the American Hull Insurance Syndicate revealed that 85 per- 
cent of the Syndicate’s claims payments were for human-error casualties [38]. In 1976, the 
National Research Council (NRC) attributed 80 percent of vessel collisions, rammings and 
groundings to human error [38]. More recently, in 1993, the UK P&I Club reported that 62 
percent of the major claims associated with commercial shipping were a result of human error 
[30]. The large number of incidents attributable to human error is not constrained to the com- 
mercial arena. A report by the Naval Safety Center found that human error caused 70 to 85 
percent of mishaps involving U.S. naval vessels from 1989 to 1993 [32]. 

The tendency to classify all human errors as individual errors has led to the notion that 
those particular failures are a part of human nature. Consequently it seems that the high per- 
centage of accidents attributed to human error have become accepted as a norm of the mari- 
time industry. 

Casualties are as undesirable to the mariner as they are to the communities that they 
serve. It is myopic to believe that causality is restricted to those serving on board ships. Yet, 
it is the front-line operators that are typically blamed. Remember that the ship serves as the 
mariner’s shelter from the environment. It is also the mariner who suffers the immediate con- 
sequences of any ill-fated accident. As Singh states [52]: 


The least generous interpretation that one is forced to make is that if those 
on board put into danger, the very receptacle that shelters their lives and 
personal effects, then it could only be because they had no better response 
within their repertoire of skills and responses at the time. 
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In general, the industry maintains a punitive model aimed at those aboard ship with the 
expectation that accidents will be minimized. However, the scope of causality encompasses a 
much broader set than that of the front-line operators. The failure of the repertoire provides 
the reason for research not reproach. 


4.3 Human Failure and Individual Error 


Before delving into the nature of accidents, it is necessary to define an accident. An 
accident is an event or occurrence that has negative results, effects, or consequences. Acci- 
dents can be induced by factors internal and external to the system. Internal factors that cause 
accidents are system failures. A system failure is an event or occurrence that has negative con- 
sequences upon the system’s functioning [12]. 

The problem with the previously cited statistics is the attribution to “human error” and 
the subsequent interpretation of that term. The term “human error” has been used extensively 
to attribute causality of some system failure to a particular individual. However, “human er- 
ror,” as it is commonly used, encompasses more than just the substandard act of an individual 
or individuals, 

In fact, the term “human error” is unwarranted in many high-risk accidents and its use 
is a pejoration of the context. It points more to the action as an independent clause, rather 
than the context in which the action takes place [22]. Hence, it can lead to the mis-allocation 
of resources and an inability to avoid future accidents. Even though some failures are attribut- 
able to people, and it is common to call all such failures human errors, it is the design of the 
system itself that is prone to error. 

Reason [46] distinguishes the human contribution to system failures into two types of 


errors. 


1. Active errors. Errors whose effects are felt almost immediately. 
2. Latent errors. Errors whose adverse consequences may lie dormant within 
the system for a long time and only become evident when they combine with 
other factors to breach the system’s defenses. 
Therefore, human error embraces a far wider range of individuals and activities than those as- 
sociated with the front-line operation of a system [46]. To incorporate this concept, human 
error should be realized as a system failure, and it should be broken down into two sets: 


1. Human Failure. 


2. Individual Errors. 
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Human failure is a system failure that can be proximally attributed to the actions or in- 
actions of one or more people [12]. Individual errors are also system failures,” but their root 
cause can be attributed to a single person. There can be individual errors that do not have 
significant consequences and are not a part of an accident’s causal chain [42].'° 

The concept of human failure as a subset of system failures allows for the integration of 
latent errors. Front-line operators tend to be the scapegoat in post accident analysis. In real- 
ity, they are the inheritors of latent errors created by poor design, incorrect installation, faulty 
maintenance and bad management decisions [46]. Figure 4-1, adapted from [12], presents the 
context of human failures and errors. 


ACCIDENTS 


—— 


SYSTEM FAILURES 


INDIVIDUAL ERRORS 





Figure 4 - 1: Context of Human Failures and Individual Errors 


Individual errors may not even comprise half of all the human failures [12]. “In an er- 
ror-inducing system, the tendency to attribute blame to operator error is particularly promi- 
nent” [42]. It has been suggested that the 80 percent ‘human error’ attribution to the maritime 
industry is better represented as follows [42]: 


1. 40 percent individual error: component failures where the operator is the 
component that failed. 


2. 5 to 10 percent system failures: accidents that are an integral characteristic 
of the system, the interactive complexity and tight coupling of the maritime 
system inevitably will produce an accident. 


° This model does not consider malicious acts of individuals. 
1° Ordering a right full rudder when a left full rudder was intended is not part of an accident’s causal chain if 
the error is made on the open ocean. However, the consequences in a restricted waterway could be severe. 
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3. 30 to 35 percent human failures. errors resulting from a complex and 
tightly coupled system which requires long hours, has misplaced priorities, and 
skewed incentives. 


A detailed study of marine structures, which experienced some failure, indicated that 
even though the failures could be attributed to the acts of individuals, the dominant causes 
were organizational; erroneous actions by groups of individuals that influence the direct cause 
of failure and exacerbate or escalate its development through compounded errors [6]. 

As long as humans operate ships, there will be individual errors. Studies of the role of 
human failures in engineered structures have shown that they are inevitable [4], but many hu- 
man failures can be prevented through the appropriate combination of management and tech- 
nology. 


4.4 Accident Investigations 


Accident investigations are predominantly directed at causes low in the system hierar- 
chy--the front-line operators [20]. After an accident has happened, people consistently exag- 
gerate what could have been anticipated [15].'' The path from hindsight to an event is much 
more predictable than the exercise of foresight [15]. 

The hindsight effect fails to give the investigator a true understanding of the root 
causes of the accident. The hindsight effect leads to implicit stop rules that can bias the inves- 
tigation to the topical professional issue of the day [52]. As Perrow has discussed [42], the 
maritime industry is an error-inducing system, and there is a prominent tendency to attribute 
blame to front-line operators in an error-inducing system. 

The myopic approach taken by most investigation regimes has lead to number of 
nebulous studies of the human problem. While studies of human factors in maritime safety 
have addressed myriad subjects, few of the studies have linked their conclusions to the ship 
accident experience [16]. 

“Simply knowing how past disasters happened does not, of itself, prevent future ones” 
[46]. To gain an understanding of accident causation, investigations must extend the range of 
individuals and. organizations that have to be taken into account. The contributions of indi- 
viduals, often far removed in time and space from the actual accident must be evaluated [20]. 
Investigators must take the point of view of the operator to inhibit the hindsight effect. By 
preventing the hindsight effect, the investigator is less likely to introduce bias and invoke stop 
rules [52]. When the knowledge gained from accident investigations is combined with ade- 
quate theories of error production, a body of principles can be assembled, which can apply to 
the design, construction, and operation phases of the maritime industry that can reduce the oc- 
currence of errors or their damaging consequences [46]. 


"’ Groeneweg has labeled this the “hindsight effect” [20]. 
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4.5 The Pathogen Metaphor 


Major disasters are rarely caused by any one factor [46]. They arise from the unfore- 
seeable concatenation of several diverse events, each one necessary but singly insufficient [46]. 
Reason [46] has suggested a pathogen metaphor to emphasize the significance of causal fac- 
tors present in the system before an accident sequence begins: 


All man-made systems contain potentially destructive agencies, like the 
pathogens within the human body. At any one time, each complex system 
will have within it a certain number of latent failures, whose effects are not 
immediately apparent but that can serve both to promote unsafe acts and to 
weaken its defense mechanisms. For the most part, they are tolerated, de- 
tected and corrected, or kept in check by protective measures (the auto- 
immune system). But every now and again, a set of external circumstances 
-- called here local triggers -- arises that combines with these resident 
pathogens in subtle and often unlikely ways to thwart the system’s defenses 
and to bring about its catastrophic breakdown. 


Like the etiology of multiple-cause illnesses due to resident pathogens, complex sys- 
tems breakdown due to resident latent errors. This concept has been applied by Singh in The 
Aetiology of Groundings [52]. The challenge for this framework is to show how latent and 
active failures combine to produce accidents and to indicate where and how more effective re- 
medial measures might be applied [46]. 


4.6 Accident Causation 


There are numerous schemes to characterize and classify human failures and its causal- 
ity. Human failure may occur in any phase of the design, construction and operation of a 
complex system [5]. Unsatisfactory performance can be the result of improper design and 
construction of the system. Figure 4-2 is adapted from Bea [5] to show more explicitly the 
context of system failures. An accident can occur due to either external forces (“acts of 
God”), or some system failure. The system failure causality can be manifested in any or all of 
the design, construction, and operations processes. The elements of human failure in all three 
phases are influenced by the synergistic and antagonistic effects of: 


1. Individuals. 
2. Hardware. 
3. Organizations. 
4. Environment. 


5. Procedures. 
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However, many errors in the design and construction phase are latent, as such, they remain 
dormant until perturbed in the operations phase by unsuspecting operators. 


SYSTEM 
ENVIRONMENT FAILURES 
DESIGN CONSTRUCTION OPERATIONS 


SUB-SYSTEMS 


PROCEDURES INDIVIDUALS ENVIRONMENTS 
ORGANIZATIONS 





Figure 4 - 2; Human Failure Taxonomy 


4.6.1 Design and Construction 


Modern vessels are complex systems. The hulls of large vessels must be constructed to 
withstand the severe forces that the sea imparts. Designers are often motivated to use the least 
amount of steel rather than build the safest hull. While scantlings are regulated, the design 
standards are questionable. A study by the NRC [36] found that existing tanker design stan- 
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dards are no longer adequate. Because of the reduction in design margins, modern tankers are 
less robust and existing standards must be enhanced. 

Hull design is just one aspect of the vessel. The propulsion system, control systems, 
navigation systems, and communication systems are all a sample of the myriad systems that 
must be integrated into the hull. With all of these sub-systems of the ship system, design engi- 
neers must begin to explicitly evaluate humans as an integral part of the system design to better 
configure the ship for improved safety [4]. 

The interfaces between the system and the human must be ergonomically designed to 
minimize errors. For example, most people can relate to the experience of a learned lecturer 
having trouble with either a video cassette recorder, slide projector, microphone, etc. The 
problem is not with the individual, but the design of the system that the individual is trying to 
use. We have all had problems with doors (pushing instead of pulling), microwave ovens, 
video cassette recorders, and stereo systems, just to name a few items. Yet there is the ten- 
dency to blame either ourselves or the person we are observing as being at fault. In reality, it is 
the system itself. Norman [40] outlines the following principles of design: 


1. Visibility. The correct parts must be visible, and they must convey the cor- 
rect message. 


2. Mappings. How is what is wanted to be performed perceived from what 
appears to be possible. 


3. Affordance. The perceived and actual properties of the system. 


Safety features need to be adequately designed into the system to account for possible 
failures. Recognizing that it is impossible to account for all the possible failures, consideration 
of the most likely failures with appropriate redundancies can help to reduce catastrophes. 

While poor designs propagate through the construction phase, there are additional 
contributions to accidents that are characteristic of this phase. Failures in the construction 
phase often relate to the level of quality control and quality assurance. Improper construction 
materials, inattention, ignorance or the total disregard of design guidelines, and errors in the 
process of constructing the system are just a sample of the mechanisms for creating latent er- 
rors that future operators must deal with. 


4.6.2 Operations 


Of the three phases, design, construction, and operations, the majority of compromises 
occur during the operating phase and can be attributed to errors made by operating personnel 
[5]. Mistakes made during design are compounded during construction and passed to the op- 
erators as a complex system that has latent pathogens [46]. Nearly 64 percent of all disasters 
result from a human failure during operations [34]." 


12 Moore calls these Human and organizational errors (HOE). 
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The amount of interdependence reflects the amount of coupling with in the system. In 
a tightly coupled system, each area cannot be addressed in isolation. 


4.6.2.1 Sub-Systems 


Sub-systems entail the hardware and software required to support the whole system. 
Sub-systems of inadequate design exacerbate human failure. The hardware portion of a sub- 
system is a collection of equipment that has specific intended functions, and interacts among its 
pieces and with the people and software that operate the sub-system [12]. While technology is 
increasing equipment reliability, some believe that it is reducing the human reliability of its op- 
eration [27]. Engineers are often wont to incorporate new technology, but these new tech- 
nologies tend to compound latent system flaws [3]. These latent flaws can be manifested in a 
complex design, close coupling (failure of one component leads to failure of other compo- 
nents), difficult maintenance, and severe performance demands. 

Technology must also balance its ability to liberate human functions with the inevitabil- 
ity of human boredom when operators shift from doing to monitoring. Technological devel- 
opments incorporating automated systems tend to change the role of the operator from an ac- 
tive to a passive participant. The longer the individual is removed as an active participant, the 
less likely the person will have a clear understanding of the inner workings of the system 
should a crisis occur [34]. 


4.6.2.2 Procedures 


A taxonomic system relating skill, knowledge and rule-based actions to an operational 
task is shown in Figure 4-3 [12]. 

The taxonomy shows the role of procedures in terms of a rule-based action and diag- 
nosis based on the complexity of task to be completed. If diagnosis or decision making is 
needed but no rules are available to assist the activity, then action must be based on a deep 
fundamental knowledge [12]. Skills include pattern recognition and actions that are manual, 
well trained, well known, and practiced frequently [12]. Where either skill or knowledge is 
insufficient or inappropriate, rule based-behavior is essential. 

Since absolute skill and knowledge can not be achieved for the various levels of opera- 
tion of a large vessel, there must be minimum levels of expertise with appropriate procedures. 
Voyage planning, pre-underway check-off lists and explicit communication procedures are all 
examples of necessary rules that must come from an overall procedural framework that needs 
to be developed, evaluated, implemented and enforced. 
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Figure 4 - 3; Embrey’s Taxonomic System 


4.6.2.3 Organizations 


The influence of the organizations on the reliability of marine systems is the most per- 
vasive of the human failure related accidents [3]. 

Organizations have an impact on individual response as a result of its structure and 
culture. Both structure and culture are functions of each other. As the NRC states [35]: 


The traditional command and leadership relationship has been considered necessary 
to maintain order and discipline, especially when faced with operating conditions 
that threaten the vessel, officers, and crew. But the hierarchical structure results in 

- unidirectional, top-down communications. Marine language and practices that de- 
rive from this traditional structuring leave little room for the development of a cul- 
ture that encourages bottom-up communication or the provision of rewards when it 
happens 
. .. This may be an important deficiency in the marine navigation and piloting sys- 
tem. .. Communication of problems detected by subordinates and solutions they may 
propose can be stifled by the rigidity of the traditional bridge organization and cul- 
ture unless the operating company, through the master, has fostered a more receptive 
bridge team communications environment. 
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The goals set by an organization can be the impetus for otherwise rational people to 
make irrational decisions. Pressures to reduce costs and maintain schedules may suppress the 
prudence of safe operations. 

The faulty decisions and subsequent erroneous navigation that leads to an accident can 
be related to the communication flow-path among the crew. However, it is the organization 
that establishes the structure of the communication flow-path. The safety of passage requires 
that the crew function as a team, especially in a restricted maneuvering setting. Sharing infor- 
mation and support among bridge team members is required to safely navigate the range of 
hazards and conditions encountered [35]. Since access to information is typically divided 
among the team members, a loss in the smooth functioning of the team results in a break in the 
flow of information. 

Other aspects of the organization that need to be addressed are the individual differ- 
ences among crew members. These differences are amplified when multi-national crews are 
employed. Language barriers, cultural and economic background all influence the cohesive- 
ness of the team. 

Fundamentally, the faults described above can be broken into two classes of problems 
facing organizations [3]: 


1. Information. Who knows what and when. 


2. Incentive: How are individuals rewarded, what decision criteria do they use, 
how do these criteria fit the overall objectives of the organization? 


4.6.2.4 The Environment 


External and internal environments contribute to individual error. 


1. External factors: darkness, extreme temperature, storms and other natural 
phenomena. 


2. Internal factors: lighting, temperature, noise levels, and vibrations. 


Environmental effects can create psychological and physiological human responses that can 
exacerbate the potential for human failure and individual error. 


4.7 The Dynamics of Accident Causation 


When one considers all the things that must go wrong for an accident to occur they are 
truly remarkable events. Within the realm of accidents, system failures have their primary ori- 
gins in the decisions of designers and high-level managers. At the ship level, the master can 
exacerbate or mitigate the adverse effects of high level decisions, but the master can also intro- 
duce other pathogens into the system. Each of the pathogens introduced into the system can 
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play a significant role in both provoking and shaping a large set of individual errors. While 
very few individual errors result in actual damage or injury (giving a wrong rudder order in the 
open ocean has no effect on the safety of the ship), when errors occur in the presence of some 
hazard, then the potential for catastrophe is real. System defenses include redundancies, auto- 
matic safety devices, and alarms to warn operators of a hazardous situation. Since designers 
are unable to account for every possible situation, safety systems inherently have windows of 
opportunity for an accident trajectory to contravene. Circumstantial factors can bias the sys- 
tem to align the mappings of the various failures; creating windows of opportunity through 
each layer of the system. Accidents occur when the mappings of system failures, human fail- 
ures and individual errors all conform to allow the accident opportunity to breach each of the 
layers. Figure 4-4 illustrates the dynamics of an accident. 
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Figure 4 - 4: The Dynamics of Accident Causation 


4.8 Technology and Risk Homeostasis 


The maritime industry has been the recipient of ever improving technologies. The 
Global Position System (GPS) incorporates satellite technology to allow vessels enhanced 
navigational accuracy. Microprocessor technology has been incorporated into GPS receivers, 
Automatic Radar Plotting Aid (ARPA) radars and collision avoidance systems. Laser technol- 
ogy has allowed for massive amounts of information to be stored and read on compact disk 
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leading to the Electronic Chart Display and Information Systems (ECDIS).'* Electronic Data 
Interchange (EDI) incorporates microprocessor, satellite and laser technology. It has the po- 
tential to revolutionize the process of data dissemination through the entire shipping chain 
[54].* Additional developments include the Global Maritime Distress and Safety System 
(GMDSS) and INMARSAT."° 

Despite all the technological developments, accidents still occur. While the maritime 
industry has looked to technology to resolve its problems, the problems remain. There is a 
tendency towards the notion that only technology is allowed to promise progress and that re- 
placing technological products with manual operators is a step backwards [21]. However, 
technology can increase human risk and the susceptibility for human failure by increasing the 
complexity and creating a more tightly coupled system. Even though major technological ad- 
vances have occurred and been implemented, the attribution of human error has remained rela- 
tively constant over the past 20 years. There seems to exist the phenomenon of ‘risk homeo- 
stasis’ [22]: 


...that advances in technology lead to a reduction in perceived risk, hence to behavior 
that is closer to the limits of acceptable performance--thereby effectively reducing the 
margin for safety. 


When radar was introduced to the maritime industry, it was thought that collisions 
would be eliminated. Now there are radar assisted collisions. In one study, it was discovered 
that when initial detection was made by radar, the vessels made as many course changes in the 
direction of the target as away from it [38]. We are now beginning to see GPS assisted acci- 
dents.'° Because of the lack of standards for GPS equipment, in conjunction with a lack of 
proper training, it is likely that the GPS assisted collisions will increase.’’ 

There is an apparent coupling between erroneous actions and system complexity. 
Many accidents are induced by failures of technological systems, which seem to arise from the 
complexity of the systems themselves [42]. The introduction of technology to reduce human 
failures leads to more complexity; hence, more failures. Hollnagel [22] refers to this as the 
Law of Unintended Consequences (Figure 4-5). 


'3 The potential of ECDIS is immense. It could be linked via satellite to enable automatic updating of chart 
information. Additionally, there is potential to integrate ECDIS into all facets of marine navigation and pilot- 
ing systems--ARPA, GPS, fathometer, auto-pilot, etc. 
'4 IMO has generated a set of Facilitation messages that can be used to send information such as crew lists and 
cargo declarations to port authorities, customs, immigrations, etc. The UN is developing the Electronic Data 
Interchange For Administration, Commerce and Transport (EDIFACT). New York and New Jersey have es- 
tablished the Automated Cargo Expediting System (ACES) to replace booking forms, delivery orders, arrival 
notices, demurrage guarantees, and bill of ladding details etc. [54]. 
'5 INMARSAT, established by the International Maritime Satellite Organization, allows the transmission of 
voiceband data, facsimile, telex, and high speed transmissions fro sea to shore via satellite. 
'© The recent grounding of the Royal Majesty is an example of a GPS assisted accident. 
'” Conversation with Singh. 
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Figure 4-5: Law of Unintended Consequences 


Shipboard technology has typically been used to reduce the manning and insulate the 
operators that remain. As the trend toward manning reduction continues, it is not clear that 
there is a trend to increase the personnel standards of the remaining mariners. “Perhaps it is 
time to look at the person rather than the machine” [54]. 


4.9 Summary 


Human failures encompass more than individual errors. The tendency to classify all 
human failures as individual errors has led to the notion that these failures are a part of human 
nature; as long as humans operate ships, there will be individual errors. 

While the importance of human failure has been known, little has been done to effec- 
tively address it. Given a consistently high human failure rate, the natural corollary has been 
which human. The resulting quest for a human to blame has become a justification for exis- 
tence for many investigation systems [52]. Post accident investigations, which find human fail- 
ures, tend to limit human failure to the front-line operator rather than to search for the underly- 
ing reasons that the operator erred. Investigations have focused on placing blame rather than 
on determining the underlying factors contributing the accident [6]. 

Studies spanning 20 years have identified consistent factors contributing to human fail- 
ure and individual error. While nearly all of these factors have been addressed in some form 
throughout the industry, most of these factors persist as pathogens. 

Figure 4-6 shows the world’s vessel losses by tonnage for the years 1988 to 1992 [25]. 
Given the high attribution of these accidents to human failure and individual error, millions of 
tons, and hundreds of lives, can be saved if a concerted effort is undertaken to understand the 
human element. Once understood, high-leverage factors can be identified and limited re- 
sources can be allocated to minimize human failures, individual errors, and their effect. 
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Figure 4-6: World Tonnage Losses 1988 - 1992 


Studies of the role of human failures in engineered structures have shown that they are 
inevitable [5]. While there may exist the phenomenon of risk homeostasis, the appropriate at- 
tention to management and technology in the design, construction, and operations phases of 
the system can minimize the frequency of undesirable consequences. 

Unfortunately, there are several technical problems in trying to assess human reliability 
in a risk setting. Human risk assessment is a relatively new discipline [12]. Rather than prop- 
erly address human failure, the industry has focused on technological and structural fixes of the 
ship and punitive models aimed at the operators to address accident prevention. 

Difficulties in addressing human failures are directly attributable to the lack of sufficient 
data in accident reports. In spite of the near constant 80 percent human failure rate ascribed by 
accident reports, there has been little or no effort expended on classifying the failures. 

By conducting a PRA and integrating a Human Reliability Analysis (HRA), insight can 
be gained into the problems presented to and by people aboard ships. The HRA allows the 
analyst to look at human failure and individual error as events whose causes can be investi- 
gated rather than invoking a stop rules at the events themselves and placing blame on the per- 
son or persons performing the events. Quantitatively, human failure factors are typically the 
largest source of uncertainty in a PRA, but they do identify specific areas for potential risk re- 
duction and offer insight into possible risk reduction schemes. 
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Chapter 5 Human Reliability Analysis 


5.1 Methodology 


The significance of human failures and individual errors in the scope of system failures 
has been illustrated in the previous chapter. The field of human reliability analysis has been 
generated to more accurately assess the quantitative value of an individual’s performance and 
the associated factors impacting that performance. 

It is necessary to employ a human reliability analysis (HRA) technique that integrates 
into the PRA. The most popular methods of analyzing individual reliability involve the decom- 
position principle. The basic technique is to break the system down into its constituent ele- 
ments, or events, and to assign reliability estimates to those elements and then to compute the 
aggregated result [22]. The Technique for Human Error Rate Prediction (THERP) provides 
that HRA scheme 


5.2 THERP 


The THERP approach is a method to predict individual error rates. It is the most 
widely used approach in HRA [17]. The THERP method allows the analyst to evaluate the 
degradation of the human-machine system likely to be caused by: either individual errors alone 
or with equipment functioning; operation procedures and practices; other system and human 
characteristics that can influence system behavior [58]. It combines a modeling method with a 
series of data tables containing basic human error probabilities (HEP) rates that are modified 
by a series of performance shaping factors (PSFs). The original data used to support the 
model was obtained from a series of observations and trials conducted at the Sandia National 
Laboratories. 

The approach is similar to a traditional system reliability analysis modified to account 
for possible individual error. Rather than generate equipment system states, it produces possi- 
ble human task activities and the corresponding error possibilities [33]. 

The required steps for a THERP analysis are as follows [58]: 


1. Define system failures of interest. 
2. List and analyze the related human operations (task analysis). 


3. Estimate the relevant error probabilities. 


'8 The tasks that initiated THERP involved bomb assembly ina U.S. military facility [D4]. 
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4. Estimate the effects of individual errors on the system failure events. 


5. Recommend changes to the system and recalculate the system failure prob- 
abilities. 


The following paragraphs outline the methodology utilized to incorporate the above steps into 
the PRA for grounding. 


5.2.1 Define System Failures of Interest 


Recall the goal of the PRA is to identify the risks of accidental oil outflow from oil 
tankers. Reference [1] identified four principal failure modes: 


1. Grounding. 

2. Collision. 

3. Structural. 

4. Fire/Explosion. 


Of these failure modes, groundings were investigated because of their significance as a source 
of accidental oil outflow. An analysis of the tanker as a system resulted in the grounding fault 
tree. From the fault tree, significant human interactions and task characteristics are identified 
for further investigation. Of the 32 elements that comprise the group of minimal cut sets in the 
grounding fault tree, 19 are directly related to human failure. The failures of interest that re- 
quire further investigation will come from the set of 19 related human failures. 


5.2.2. List and Analyze Related Human Actions 


From the fault tree, processes need to be identified that incorporate the failures of in- 
terest--task analysis. Task analysis is an analytical process for determining the specific behav- 
iors required of an individual within a system [58]. A task has certain associated requirements 
that are performed in a specific environment and require a certain degree of intellectual and 
psychomotor skills. In THERP, a task is a minimal set of human actions that accomplishes a 
specific goal--a series of actions or steps. A deviation from an intended task step is an error. 

There must be a systematic description of the appropriate actions that the individual is 
expected or required to carry out and the possible deviations from the requirements. The basic 
steps of a task analysis are as follows: 


45 








1. Evaluate the capabilities and limitations of the personnel performing the 
tasks. 


2. Evaluate the tasks. 
3. Determine possible deviations from the anticipated tasks. 
4. Determine possible recovery actions. 


The most difficult aspect of the task analysis is identifying the possible unplanned 
modes of operator response. Once the possible human errors have been determined for each 
task and subtask, there must be a consideration for human recovery actions (recovery from an 
abnormal event or failure). It must be remembered that even the best analyst cannot identify all 
possible modes of human response [58]. Therefore, it is important to identify the most impor- 
tant tasks and most of the ways performance failures can occur for the respective tasks. 

The basic tool used to model tasks and task sequences is the event tree. THERP 
analyses incorporates event trees. Decision processes are modeled as binary events; either the 
task is a success or a failure. In contrast to fault trees, which are deduced from an end state, 
event trees work forward in time. Event trees indicate the success paths and the plausible fail- 
ure paths. That is, according to time sequence or procedural order, the event tree represents 
the sequence of intended actions and possible alternative actions in response to an initiating 
event. The events must be sufficiently decomposed into small enough elements for which there 
is sufficient reference data to estimate probabilities. 

Inherent with a task analysis is a determination of whether the demands of the system 
exceed the capabilities of the human components. Hence, fundamental to a task analysis is the 
determination of the skill, experience, training, and motivation of the personnel who will oper- 
ate the system [58]. 

Probability shaping factors (PSFs) are those factors that affect the ability of personnel 
to carry out tasks [17]. Incorporated in the task analysis, is a determination of those factors 
that adversely affect human performance. Once tasks have been decomposed, it should be 
easier to identify the PSFs that influence the performance of the task. The context of PSFs and 
there applicability to this analysis are discussed in paragraph 5.3. 


5.2.3 Estimate Relevant Error Probabilities 


For those human performance elements analyzed, it is necessary to determine the prob- 
ability of the individual(s) to error and the influence that the hardware, procedures, environ- 
ment, organizations, and the respective interfaces have on the individual(s). The error prob- 
abilities are required for the branches in the event tree. THERP contains a data source for es- 
timating individual error probabilities in reference [58]. Once the individual error probabilities 
are incorporated in the event tree, the overall reliability of the task can be calculated. 
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5.2.4 Estimate the Effects of Error on System Failure Events 


The results of the event trees are incorporated into the system fault tree to ascertain the 
probability of the undesired events in the fault tree and ultimately, the probability of grounding. 

Once the appropriate probabilities are incorporated into the fault tree, a sensitivity 
analysis is performed to determine which event offers the largest potential for reducing the 
probability of grounding. Conversely, the sensitivity analysis shows those events that can 
significantly increase the probability of grounding. 


5.2.5 Recommend Changes to System Design 


The high-leverage factors identified in the sensitivity analysis are analyzed to determine 
methods that may minimize the individual event probability of failure, or at least prevent in- 
creasing the probability of failure. 

Figure 5-1 graphically shows the process for incorporating the elements described 
above. 
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Figure 5 - 1: Probability Determination Process 
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5.3 PSFs 


As stated previously, PSFs are determined inherently in the task analysis, and they 
identify factors that affect the ability of personnel to carry out tasks. Data relating PSFs to 
HEPs is scarce. Because of the nature of the probability determination for individual events in 
this thesis, e.g., determining marine task probabilities from analogous nuclear power tasks, 
explicit quantitative impacts of PSFs on individual tasks will not be determined. Instead, a 
sensitivity analysis will be done to determine those events that require more investigation. 
Recommendations will be based upon the results of the sensitivity analysis. While the use of 
quantitative PSF impact is not utilized, a discussion of PSFs is germane. 

The manner in which the individual perceives, thinks about, and responds to the inputs 
he receives, depends on the PSFs. The PSFs become important when looking for means of 
improving performance [17]. It is essential to the HRA that the proper PSFs be identified to 
determine the effect external influences have upon the individual and to minimize the adverse 
effects. Table 5-1 shows the PSFs from NUREG1278 [58]. 

The PSFs determine whether individual performance will be highly reliable, 
highly unreliable, or at some level in between [58]. Recall the PSFs identified in Table 3-1. 
There is very little data to support the quantification of many of the cited PSFs [58]. Addi- 
tionally, many of the PSFs result in various degrees of stress upon the individuals involved with 
the task at hand. The question remains, what degree of stress does each of the stress produc- 
ing PSFs induce? 

A stressor is defined as any external or internal force that causes bodily or mental ten- 
sion [58]. As such, stress can be classified by its two sources: physiological and psychologi- 
cal. Stress is not necessarily undesirable. It has been shown that there are optimum levels of 
stress to maximize the performance of individuals. 

The relationship between psychological stress and performance is shown in Figure 6-2 
[2]. A certain level of stress will maximize the level of individual performance. As stress in- 
creases, the performance of most people will deteriorate rapidly. A particular problem under 
high levels of stress is that of response perseveration--“the tendency to make some response 
(or a very limited number of responses) that is incorrect repeatedly” [58]. Perseverate behav- 
ior can result from either the lack of skills to adequately process the information at hand, or 
from an inability to recall and use the appropriate skills. In either case, the training and experi- 
ence level of the individual impact that individual’s performance level during periods of high 
Stress. 
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Effects of Stresses on Performance 
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Figure 5 - 2: Effects of Stresses on Performance 


At the lower extreme of the stress level, the performance levels of most individuals will 
also decrease. Since low levels of stress do not offer enough arousal to keep a person suffi- 
ciently alert to do a good job [58]. Swain [58] calls this loss of alertness the vigilance effect-- 
ineffective monitoring that develops when the operator is not experiencing enough signals to 
maintain a sufficient level of stress.’” 

The primary physiological stressors applicable to the mariner are from fatigue, motion 
sickness, and the duration of either the psychological or physiological stress that the mariner 
must endure. When an individual must perform under physically uncomfortable conditions, 
errors of omission can be expected to increase [58]. 

Despite the ambiguity of the PSFs and the variability of human performance, it is still 
important to identify contributing PSFs. Therefore, for the human failure causal factors identi- 
fied in Table 5-1, PSFs will be identified, within the human failure taxonomy, that can affect 
the individual’s performance. 


5.3.1 PSF Considerations 


Recall that human reliability is affected by all the synergistic and antagonistic effects of 
hardware, procedures, environment, organizations and the interfaces of these with the individ- 
ual (Figure 5-3) [3]. 


'9 Tn World War II, the British realized that the maximum time that a ship’s lookout could be kept on duty ef- 
fectively was about thirty minutes. After thirty minutes, the probability of the lookout detecting an enemy sub- 
marine’s periscope was unacceptably low even though the lookout’s life and those of his shipmates were at 
stake [58]. 
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Figure 5 - 3: Human Failure Factors 
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All of the above listed items come with inherent factors that affect the ability of person- 
nel to carry out tasks. 


5.3.1.1 Hardware 


The bridge design of a ship can affect the performance of individuals either favorably or 
adversely. The bridge size of most tankers is significant. Therefore, the location of vital navi- 
gational equipment (radar repeaters, communications, gyro repeaters, rudder angle indicators, 
charts) should all be readily accessible to the conning officer. Since it is normal for people to 
avoid unnecessary effort, they may try to read displays from a distance and make errors in their 
readings [58]. These issues are especially prevalent in older tankers that were not designed 
with contemporary manning levels taken into consideration. Many older tankers were de- 
signed with the chart room separate from the bridge.” 

The perceptual requirements of a task are determined by the task and the equipment 
features that convey information to the individuals [58]. Therefore, crucial information must 
be reliably conveyed with the essential information to the conning officer.’ In general, the 
hardware must be designed such that it interfaces properly with the individuals utilizing it. 


2° On a recent tanker visit, the chart room was behind the bridge in a separate room. This required the conning 
officer to leave the advantageous view of the bridge to plot fixes. This behavior was restricted to open ocean 
steaming. For restricted water piloting, the crew utilized a smaller table on the bridge. The problem with this 
table is that there was no light fixture. Asa result, flashlights with white lights were turned on and off to plot 
fixes and compare the ship’s position with the track. This behavior was distracting and reduced the night vi- 
sion of all personnel on the bridge. 
21 ARPA radars beep in certain modes with certain data entries. Again, on the same tanker visit, it was diffi- 
cult to distinguish the ARPA radar beep from the steering alarm which occurs when the rudder angle indicator 
fails to respond to the ordered angle promptly. 
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The primary PSFs to be considered are: 
1. Architectural Features (bridge design). 


2. Perceptual Requirements (placed on personnel by the equipment). 


5.3.1.2 Environment 


The marine environment can be harsh. High sea state conditions can severely affect the 
performance of individuals through physiological stressors, particularly if the individual suffers 
from motion sickness. Even if motion sickness is not a problem, enduring days of high sea 
state takes its toll in the form of fatigue and stress as sleep becomes difficult. Motion sickness 
is typically constrained to the open ocean. It is more important to identify those environmental 
factors affecting performance in restricted waterways. The environmental factors contributing 
to the performance of piloting a vessel include the shipping channel width, traffic density, pre- 
vailing currents and winds, visibility, and the availability of navigational aids. 

The primary affect of the above factors on the individuals piloting a ship is to change 
the amount of stress. The mariner can spend days, or weeks in an open ocean transit where the 
risk of a grounding or collision are almost nonexistent and the margin for error is relatively 
large. But then there is a sudden transition to a restricted waterway where there can be a sig- 
nificant traffic density to avoid while contending with current and wind forces on the ship and 
maintaining a safe track through the use of navigational aids and radar fixes. In addition to the 
stress associated with operating in a restricted waterway, there is stress induced as a function 
of the rapid transition from open ocean to restricted waters. The particular stressors placed 
upon the mariner due to the environment are: 


1. Suddenness of onset. 

2. Duration of stress. 

3. Long uneventful vigilance periods. 
4. Distractions. 


5. Inconsistent cueing. 


5.3.1.3 Organization 


The organizational structure (authority, responsibility, and communication channels) of 
the ship and the corporate management for the ship impact the performance of the ship’s op- 
erators. Goals set by an organization can lead a rational individual to conduct operations 
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which corporate management would disapprove of if they were aware of the reliability impli- 
cations [3]. Pressures to reduce costs and maintain schedules can either provide the motiva- 
tion for operators to take greater risks, or may not provide the adequate resources for opera- 
tors to function with a sufficient safety margin. 

Administrative control, with regard to procedural compliance, is necessary to ensure 
that abnormal conditions are restored properly. The perceived criticality of the task at hand 
determines how much attention an individual will devote to the task [58]. A conning officer’s 
perception of importance will be directly influenced by the Captain and the prevailing attitude’s 
of the experienced personnel on board. 

Rewards, recognition and benefits serve to provide the incentive for an individual to 
perform in accordance with the organization’s goals. These serve to affect an individual’s de- 
cision criteria and how these criteria are used [3]. 

The bridge team structure affects the interaction of the individuals that make up the 
team. By encouraging interaction, the principle of redundancy is employed. Additionally, once 
an error occurs, recovery action is more likely. 

The above effects on an individual’s performance can be summed up in the single PSF: 


1. The Organizational Structure. 


5.3.1.4 Procedures 


The design and adherence to properly written procedures can lessen the interpretation 
requirements placed upon an individual. The more interpretation that is required, the longer 
the response time, hence the greater probability of error [58]. One of the most important work 
methods is the correct use of properly written procedures and checklists. The shipboard envi- 
ronment typically suffers from the lack of procedures, rather than the lack of adequate proce- 
dures. 
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The nautical rules of the road are a common factor to all mariners. Adherence to the 
rules is more likely a function of the organizational structure. Therefore, the prevailing PSF is: 


1. Existence and quality of procedures and checklists. 


5.3.1.5 Individuals 


The scheduling of work hours and work breaks are unique in a sea duty environment. 
Watchstanding must be coupled with maintenance and repair activities. When loading and un- 
loading cargo are coupled with scheduling pressures, time stress can occur. Individual per- 
formances are degraded when the body’s circadian rhythms are disrupted.””_ In addition to the 
stress that can be induced from long work hours, fatigue becomes a critical matter. The re- 
quired work hours are directly affected by the ship’s manning. Reduced manning initiatives 
have required fewer people to do more jobs. Studies have shown that as fatigue increases, the 
detection of visual signals deteriorates and individuals exhibit more errors [58]. 

The piloting of a ship requires the conning officer to be alert to many signals. Indi- 
viduals are only capable of paying attention to one thing at any instant in time [58]. Experi- 
ence allows the individual to switch attention among several stimuli, however, the individual is 
attending to just one stimulus at a time. In a restricted maneuvering channel with high traffic 
density, there may be too many auditory and visual signals competing for the conning officer’s 
attention that an information overload can occur. As a result, some signals will either not be 
perceived, or they will be ignored because of the priority of other signals. Feedback refers to 
the knowledge of results that a person receives about the status or adequacy of his or her out- 
puts [58]. The information processing by individuals requires a closed loop to reliably perform 
complicated activities. Specifically, feedback provides an individual with objective information 
on what is supposed to be done, and whether it is done correctly, with detailed information on 
when and how the individual failed to do the task correctly [58]. When feedback delays occur, 
it becomes difficult to see the association between feedback and intervening events [51]. Slow 
feedback is inherent to the piloting of large vessels. The maneuvering characteristics of large 
vessels are such that they respond slowly to the control inputs. Because of the feedback delay, 
it takes a great deal of experience and a minimum level of proficiency to be able to properly 
maneuver a large vessel. 

The primary internal PSFs operating on the individuals reliability are: 


1. Fatigue. 
2. Experience and training. 
3. Proficiency. 


22 Studies done to determine the effects of the standard three-watch rotation (four hours on watch, eight hours 
off) have concluded that crew member’s circadian rhythms are disrupted resulting in sleep deprivation. The 
results have shown a degraded performance in monitoring and judgment and increased stress [37]. 
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5.3.2 PSF Synopsis 


The primary PSFs that act upon and within an individual mariner to effect the reliability 
of that mariner, are as follows: 


1. Bridge Design. 

2. Equipment Ergonomics. 

3. Stress Placed on the Individual due to the environment. 
4. The organizational structure. 

5. The existence of procedures and checklists. 

6. Fatigue. 

7. Experience and Training. 

8. Proficiency. 


Just as important to identifying the PSFs, is identifying the means for either reducing or elimi- 
nating the adverse impact that the PSFs can have upon an individual. 

In order to better ascertain the relevant PSFs, the analyst should actually perform the 
tasks according to the prescribed procedures to evaluate the human processes involved in per- 
forming each of the events within the task. It is this hands-on experience that lends the analyst 
insight into the appropriate PSFs and the potential impact on each event within the task. 


5.4 THERP Critics 


Critics of THERP, question the underlying assumptions in the approach. It assumes 
that a task can be broken into discrete events, and that each event in isolation is not signifi- 
cantly different from the task as a whole. While this decomposition principal has its weak- 
nesses, it is a systematic approach to an industry-wide problem, and it has shown success in 
identifying areas for improving human reliability. Additionally, there is a question of validity 
when using THERP for evaluating either high level decisions, or diagnostic tasks. While there 
is truth in the criticism, THERP does provide a starting point for the maritime industry where 
data relating cognitive psychology to the process of marine transportation is non-existent. 
Therefore, the resulting absolute risk likely incurs a large margin of error, however, the relative 
risk serves to offer insights into the ways that the absolute risk can be minimized using sensi- 
tivity analyses as a way to identify vulnerabilities, which may be subsequently removed. 
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5.5 Summary 


Familiarization is fundamental to the THERP method. Familiarization includes infor- 
mation gathering, ship visits and the review of procedures. Hence, site data collection is es- 
sential to the risk assessment [17]. 

Many tasks inherent with piloting a ship are not well defined. Even in routine tasks, 
there are myriad possible deviations from the anticipated routine. For tanker groundings, the 
tasks that make up the cut sets of the fault tree must be analyzed such that they can be broken 
down into fundamental steps for which probabilistic data can be applied. Once the steps are 
quantified with HEPs, the sensitivity analysis allows managers, regulators, and operators to 
focus on the high-leverage factors to minimize the overall risk of grounding. 
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Chapter 6 Probability Determination 


6.1 The Grounding Fault Tree 


Recall the grounding fault tree (Figure 6-1) [1]. From the fault tree, causality can be 
broken into two broad categories: 


1. Planning and piloting: the vessel is able to follow a safe track, however, it 
proceeds down an unsafe track due to a planning or piloting failure. 


2. Equipment, assistance and environment: the vessel is unable to follow a 
safe track because of mechanical failure, assistance failure and adverse envi- 
ronmental conditions. 


The above breakdown is consistent with a study done by Det Norske Veritas (DNV) 
[11]. DNV has defined the two categories as follows: 


1. Powered grounding: An event type that occurs when a tanker collides with 
the shoreline whilst underway due to navigational error and lack of crew vigi- 
lance. 


2. Drift grounding: An event type that occurs when a tanker loses its ability 
navigate, through loss of steering or propulsion, and is blown onto the shoreline 
before it is either taken in tow or is repaired. 


The causality derived by the fault tree is consistent with the grounding definitions de- 
veloped by DNV. For consistency and clarity the DNV terms are used to describe the two 
broad causal categories. The OR gate immediately preceding the grounding event in the fault 
tree has an input from the powered grounding portion of the fault tree and an input from the 
drift grounding portion of the fault tree. Therefore, the Boolean expression for the probability 
of grounding can be restated as follows: 


P(grounding) = P(powered grounding) + P(drift grounding)” (6-1) 


23 As a Boolean expression, it is read as: The probability of grounding is equal to the probability of powered 
grounding OR the probability of drift grounding. As shown in Appendix A, a union operation expressed as a 
Boolean OR operation is implicitly equal to the probability expression: P(C) = P(A) + P(B) - P(A * B). 


a7 








dL NV sulpunory :] - 9 andi 


SNIGNNONS L3G 





SNIGNNOUS Gay¥3sMOd 


58 





From equation (6-1), P(powered grounding) and P(drift grounding) have the following identi- 
ties that are implicit from Figure 6-1: 


P(powered grounding) = P(the actual course proceeds down an unsafe track) 
* P(the ship is able to follow a safe track) (6-2) 


P(drift grounding) = —_—~P(the ship is unable to follow a safe track) 
(6-3) 


Notice the P(the ship is unable to follow a safe track) is the negation of P(the ship is able to 
follow a safe track). Through Boolean identities, P(grounding) is expressed as follows: 


P(grounding) = P(powered grounding) + P(drift grounding) 
= P(the actual course proceeds down an unsafe track) 
+ P(the ship is unable to follow a safe track) (6-4) 


6.1.1 The Emphasis on Powered Grounding 


Based on the analysis of 100 accidents at sea,”* Groeneweg [20] concluded that 96 of 
the accidents were preceded by human failures. There were 345 necessary human failures 
identified.” Out of all the identifiable and necessary human errors, 76 percent of these errors 
occurred on the bridge. 

Since the bridge is the controlling station for the ship, it is not surprising that the ma- 
jority of contributing events preceding an accident are attributable to the actions taken on the 
bridge. “Therefore, programs to improve safety should look carefully at what happens on the 
bridge” [20]. 

The significance of the bridge and the actions taken there, is reflected in the number of 
marine accident causal factors attributed to this controlling station of the vessel. This is sub- 
stantiated by the grounding fault tree. From Figure 6-1 and equation (6-4), the Boolean ex- 
pression for the grounding event is taken to the next level to show the importance of the 
bridge. 


P(powered grounding) = P(the desired track is unsafe) 
+ P(the course deviates from a safe desired track) (6-5) 


P(drift grounding) = P(an unsafe wind/current) 
*  P(an assistance failure) 
* — P(anchor failure) 
P(ship has lost way) (6-6) 


24 The 100 accidents at sea are all cases heard by the Dutch shipping Council between 1982 and 1985. For an 
accident to be heard by the Council it had to either involve a fatality or be of major interest to the community or 
marine industry. There were 2250 accident causes identified, out of which 345 were forms of human error 
[20]. 
° Necessary human failures implies that these failures were necessary for the accident to occur. 
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The Boolean expression for the probability of grounding can now be expressed as: 


P(grounding) = (P(the desired track is unsafe) + P(the course deviates from a safe desired track)) 
+ (P(an unsafe wind/current) * P(an assistance failure) * P( an anchor failure) 
* P(the ship has lost way)) (6-7) 


The above equation is stated as a Boolean expression.** By invoking the rare event 
approximation and assuming independence (see Appendix A for the details of Boolean algebra, 
probability theory, and the rare event approximation), the Boolean expression of OR’s and 
AND’s translates directly to a mathematical expression of addition and multiplication. There- 
fore, P(the desired track is unsafe) is summed with P(the course deviates from a safe desired 
track), and this quantity is then summed with the product of P(an unsafe wind/current), P(an 
assistance failure), P(an anchor failure), and P(the ship has lost way). 

Since the probabilities are all less than or equal to 1 (including P(grounding)), the 
product term (P(drift grounding)) will be less than the maximum probability within the prod- 
uct. Given the nature of the probabilities in the product term, one can see the importance of 
the sum term (P(powered grounding)). 

The bridge will be the center of focus for further analysis. Event trees will be devel- 
oped to determine the failure probabilities of powered grounding. Due to time constraints, the 
probabilities of drift grounding will be based upon historical data. 


6.2 Powered Grounding 


The powered grounding fault tree is shown in Figure 6-2. It can be seen that the fun- 
damental failures resulting in a powered grounding lie in the processes of planning and piloting. 
Those elements of the fault tree extending from “The Desired Track is Unsafe” constitute 
faults in the planning process. Likewise, those elements extending from “Course Deviates 
from a Safe Desired Track” are characteristic faults of the piloting process. 

Voyage planning and piloting are essential skills required of any mariner. Event trees 
can be used to further analyze and quantify portions of the fault tree. By developing event 
trees for each of these processes, the fundamental events of each of the processes are se- 
quenced. The sequence of the events involved with the processes incorporate the basic faults 
identified in the fault tree. From the event trees, the probabilities of either success, or failure of 
each of the processes, or elements of the processes can than be calculated. 

When events are human actions, probabilities will be determined from reference [58]. 
Excerpts of the tables from reference [58] used in this analysis are included as Appendix C, 
however, for further insight into each of the elements of the tables in Appendix C, it is recom- 
mended that one refer directly to reference [58]. 


26 As a Boolean expression, “+” are read as OR, and “*” are read as AND. 
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Figure 6 - 2: Powered Grounding Fault Tree 


6.2.1 Passage Planning 


The process of voyage planning requires the scheduling of escorts, tugs, and pilots for 
both departure and arrival ports. However, the essential element of a voyage plan is the pas- 
sage plan. 

The mariner has several sources of information available to ensure a safe and efficient 
passage. The failure to have on board the latest charts and other publications, and to keep 
them corrected imposes undue hazards to the crew and vessel, in addition to the adverse legal 
position should a mishap occur. 

The passage plan requires the mariner to plot the vessel’s intended track on the appro- 
priate charts. The charts must be checked to ensure that they reflect the most recently known 
navigational information (e.g., Notice to Mariners, Local Notice to Mariners, etc.). It is im- 
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portant to determine if low-water conditions impact the ship. Additionally, currents can impart 
significant forces upon the ship. Therefore, currents and tides must be checked.’ 
Figure 6-3 shows a typical passage planning event tree. Recall that for each event, the 


success limb is the upper limb, and the failure limb is the lower. 
1 6 
INNITIATE CAPTAIN 


PLANNING PROPERLY 
PROCESS VERIFIES 
PLAN 





Figure 6 - 3: Passage Planning Event Tree 


The process of verifying that charts reflect the most accurate navigational information 
involves checking various notices that are published to reflect changes in navigational informa- 
tion. Periodicals are issued to correct or update navigational publications. The primary peri- 
odicals are the Notice to Mariners and the Local Notice to Mariners. For instances where it is 
necessary, for the safety of navigation, to promulgate information without delay, a radio 
broadcast service is utilized. Messages used to indicate hazards are the Hydropac, Hydrolant, 
and the Broadcast Notice to Mariners. 

Prior to departure and arrival, publications must be corrected as necessary to reflect the 
most recent changes. The process can be tedious and time consuming. To determine the HEP 


27 While it is necessary to check current and tide tables to get an idea of the expected currents, to ascribe any 
real accuracy to these tables would no be prudent. 
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to apply to this task, the table for “Estimated Probabilities of Error When Using Written Pro- 
cedures Correctly”* from reference [58] is used. It is assumed that the process for checking 
the navigation periodicals and messages is analogous to the HEP for following procedures with 
no check-off provision.” 

The HEP for correctly entering the changes in the appropriate charts and publications is 
taken from the same table. Since the mariner has developed a list of changes to make, the HEP 
is taken from the line item for procedures with check-off provisions.” 

The task of determining waypoints for the passage involves studying the charts to de- 
termine the track to take the vessel from origin to destination. It is assumed that the HEP is 
analogous to that of preparing written procedures. 

The task of laying down the track involves the plotting of the waypoints and high- 
lighting any hazards to navigation. The process requires relatively precise use of dividers and 
simple mathematical calculations, analogous to a reactor technician’s use of a micrometer. The 
Handbook categorizes these tasks under arithmetic computations. 

The approval process presumes that the Captain takes a hands-on effort in verifying the 
validity of the track. A successful verification implies that the Captain has disapproved an im- 
proper plan. The analogous HEP from the handbook corresponds to the table for “Estimated 
Probabilities of a Checker’s Failure to Detect Errors.” 

A summary of the chosen probabilities is given in the table below. 


Table 6 - 1: HEPs for Passage Planning 


Event Analogous Nuclear Power Task Wana 
Number 
Check periodicals for Procedures with no check-off provision | 0.003 | 0.001 - 0.01 
changes 


Procedures with check-off provision 0.001 | 0.0005 - 0.005 
az 0 










Uncertainty 






Writing a procedural item incorrect] 0.001 - 0.01 
Procedures requiring simple arithmetic 0.005 - 0.05 
Hands-on type checking 0.01 | 0.005 - 0.5 


Incorporating the above HEPs into the passage planning event tree yields a resulting 
probability of failure of 1.692 x 10%, as shown in Figure 6-4. Failure is defined as implement- 
ing a faulty plan. 

It can be assumed that the first three events are independent of each other, since it 1s 
unlikely that the successive event will induce the operator to believe that the previous event 
was performed incorrectly. In other words, there is no mechanism for recovery. However, the 
performance of event 4 does provide for recovery. It can be rationalized that in the process of 
plotting the track, the plotter has a general idea of the way the track will lay-out before actu- 
ally plotting it, since the waypoints were determined from studying the charts. If this depend- 
ence is assumed, the event tree must model the recovery event. 





8 In this context, written procedures include any written materials. 

2? The HEP used assumes less than 10 changes have to be implemented (see Appendix C). 

%° It is assumed that the list is analogous to a check-list or procedure that a reactor technician might follow. 
63 








1 3 4 6 FAILURE OF INTEREST 
INNITIATE PLOT DETERMINE | LAY DOWN | CAPTAIN. |PROBABILITY FAILURE 
PLANNING CHANGES | WAYPOINTS PROPERLY OF 
PROCESS VERIFIES INTEREST 

PLAN 


9.93015E-05 Captain approves fauity pian 


2.98801E-05 Captain approves faulty plan 


9.84069E-06 Captain approves a faulty plan 


9.9400SE-08 Captain approves a faulty pian 


2.991E-08 Captain approves a faulty pian 


2.96109E-05 Captain approves a faulty plan 


2.991E-07 Captain approves a faulty plan 


0.0000000S Captain approves a faulty plan 


0.0001692 Probability for imlementing 
a faulty plan 





Figure 6 - 4: Passage Planning Event Tree with Associated Probabilities 


The recovery event is the recognition of the faulty track after the track is laid-out. This 
presumes that the individual laying down the track is checking it for the specific purpose of 
meeting the constraints of a safe passage. This is analogous to the table in reference [58] for 
checking displays for a specific purpose. This recovery event becomes event 6 in the event 
tree just preceding the Captain’s verification event. 
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Table 6 - 2: HEP for Recognizing Faulty Track 


Event Maritime Task Analogous Nuclear Power Task Uncertainty 
Number 





16 _| Recognize Faulty Track | Check chart recorder with limits | 0.002 | 0.001-0.01 


Figure 6-5 incorporates the recognition event and shows that the resulting probability 
of implementing a faulty track has reduced by an order of magnitude--from 1.692 x 10% to 
7.0049 x 10°. 


1 3 4 6 7 
INNITIATE PLOT DETERMINE | LAY DOWN RECOGNIZE CAPTAIN PROBABILITY FAILURE 
PLANNING CHANGES | WAYPOINTS FAULTY PROPERLY OF 
PROCESS TRACK VERIFIES INTEREST 
PLAN 


1.98603E-07 faulty plan approved 
2.98801E-05 faulty plan approved 
9.84069E-06 faulty plan approved 
9,92021E-08 faulty plan approved 
1.98802E-10 faulty plan approved 

2.991E-08 faulty plan approved 
2.96109E-05 faulty plan approved 
2.98502E-07 faulty plan approved 

5.982E-10 faulty plan approved 


0.00000009 faulty plan approved 


7.00487E-05 Probability for 
implementing 
a faulty plan 





Figure 6 - 5: Passage Planning Event Tree Incorporating Plot-Waypoint Dependency 
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The final probability chosen for implementing a faulty plan is 7.0049 x 10°. There are 
assumptions regarding the number of changes and the number of waypoints for a particular 
voyage. Additionally, ships on a continuous route between two ports will utilize the same 
track over and again. However, the process for the prudent mariner remains the same regard- 
less of the experience on the voyage route. 


6.2.2 Planning Information 


Inherent with evaluating the probability of the desired track being unsafe, is the deter- 
mination of the probability that the information used to plan the track is inaccurate.*’ Only a 
small portion of U.S. waters have been surveyed using the most advanced techniques, and 60 
percent of the soundings shown on nautical charts are based on lead-line surveys conducted 
over 45 years ago [35]. By conducting a search of the USCG’s CASMAIN database, a rough 
order of magnitude estimate has been developed for the probability of piloting with faulty navi- 
gational information. 

A query of the CASMAIN database was performed for the causes of vessel ground- 
ings. Interest lies in the cases where the vessel’s did not have the navigational information re- 
flecting the actual environmental conditions. It was assumed that the following causes attrib- 
uted to the casualty in the database were a result on inaccurate information: 


1. Channel not maintained. 

2. Unmarked channel hazard. 

3. Inadequate weather information available. 
4. Improper navigational aid location. 


The results of the query yielded 1,874 cases where vessels grounded due to false navi- 
gational information between the years 1980 and 1991. Of the 1,874 vessel accidents identi- 
fied, 298 were tankers. The location for these accidents is dominated by those that occurred in 
rivers. This illustrates the importance for understanding river dynamics and the increased cau- 
tion that must be exercised when transiting rivers. 

Based upon four of the busiest ports in the U.S.--San Francisco Entrance, New Or- 
leans, Baton Rouge, and Valdez, the number of vessel transits was obtained from the Army 
Corps of Engineers. For the years 1986 through 1990, the total number of transits for these 
ports is illustrated in Table 6-3 [64]. 


3! Presently, there is a Sea Grant research project being conducted by Woods Hole Oceanographic Institution to 
determine the extent which accidents are caused by faulty navigational data [67] 
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Table 6 - 3: Annual Vessel Trips for Selected Ports 


Transits Transits 


1986__| 1790 2783 
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The number of groundings near these ports, which were the result of incorrect naviga- 
tional information, is divided by the number of transits to determine the accident quotient. 


Information Accident Quotient = Number of Accidents due to Faulty Navigational Information 
Number of Transits (6-8) 


The accident quotient is then assumed to approximate the probability of grounding attributable 
to incorrect planning information. Table 6-4 compares these quotients.” 


32 Because the CASMAIN database does not easily allow the distinction between Baton Rouge and New Or- 


leans, these port trip totals are combined. 
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Table 6 - 4: Incorrect Planning Information Accident Quotients 
















Number of Accident Number of | Tanker Acci- 
Accidents 
water OR gE ee 
| San FranciscoBayEntrance}3_—s«d| 6819x100" [Oo COC 
| New Orleans/Baton Rouge _|83 | 8.794x10° [19 1374x110" 
[Total (tid BTCi* BOO” [19 1896 x10° 
| Channel Weighted Mean | 29.3 | 9.86x10-5 16.33 | 4.58x10-4 | 
| __—Standard Deviation | 46.5. 3.70x 10-5 [11.0 | 7.93 x10-4 





Based on the above quotients, it is difficult to determine any clear statistical conclu- 
sions, especially for exclusive tanker accidents. Additionally, the port characteristics are dif- 
ferent, imposing different variables on the ships transiting the specific waterways. An ap- 
proximation of 10% is used as a reasonable estimate. Let the upper bound of uncertainty be 
determined by the number of tanker accidents in the New Orleans/Baton Rouge waterway--10° 
3. The lower bound will then be estimated as 10°. It must be noted that this failure probability 
disregards differences in waterway characteristics. 


6.2.2 Piloting 


The piloting event tree is depicted in Figure 6-6. The initiating event is the actual 
course deviating from the planned track. The simple sequence of events is as follows: 


1. The actual course deviates form the planned track, This is the initiating 
event and the resulting probabilities are conditional upon this initial deviation. 


2. A difference error between the actual course and the planned track is gen- 
erated. To enable a detection of a deviation, the on board sensors must detect 
and offer that information to the bridge team. 


3. A fix is taken and plotted. Once the on board sensors offer the information 
to the bridge team, the bridge team takes that information in the form of a fix 
and the fix is then plotted on a chart. 


4. The difference error is detected. When the fix is plotted, the bridge team 
must evaluate the fix to detect that a difference exists between the actual posi- 
tion and the desired position. 


5. A correct course change is ordered. Once the ship’s deviation is recog- 
nized, a course change must be given to negate further deviation. 
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6. The helm responds correctly. The helm must respond with the proper rud- 
der order to bring the ship’s track back to the planned track. 


1 2 3 4 5 6 
ACTUAL COURSE A DIFFERENCE ERROR PROPER FIX IS THE A CORRECT | THE HELM 
DEVIATES FROM | BETWEEN ACTUAL COURSE | TAKENAND | DIFFERENCE COURSE RESPONDS 
THE PLANNED AND DESIRED TRACK PROPERLY ERROR IS CHANGE IS | CORRECTLY 
TRACK IS GENERATED DETECTED | IS ORDERED 





Figure 6 - 6: Piloting Event Tree 


Since the merchant fleet is limited in its manning, conning officers typically rely upon 
radar ranges and bearings to pilot the ship through restricted waters, rather than utilizing a pi- 
loting team to shoot and plot visual bearing lines. In restricted waters, pilots embark to take 
the ship to the port of call. For this reason, Dutton’s Navigation & Piloting [31] recommends 
that the mate performing the navigational duties in restricted waters refrain from making trips 
between the bridge wings, chart house and wheelhouse. Rather, it is preferable to utilize a 
chart table in the wheelhouse and fix the ship’s position with the radar in order to keep a close 
check on the pilot. 

The generation of a difference error between the actual course and the desired track is 
a function of the accuracy and reliability of the radar used to fix the ship’s position and the 
Global Positions System (GPS). The IMO has mandated performance standards for required 
navigational equipment in the Jnternational Convention for the Safety of Life at Sea [24]. Be- 
cause there are a number of systems installed on tankers, a value for the probability of generat- 
ing a difference error is chosen based upon the value presented in reference [41]. 

The process of taking a fix typically involves the taking of at least two radar ranges. 
This is done by selecting appropriate navigational aids, obtaining the ranges, and then plotting 
those ranges. The navigator must read the ranges off of the radar and plot them correctly on 
the chart. The result is the estimated ship’s position at the time the ranges were determined. 
The ranges are presented in a digital format, hence, the HEP is chosen from the table for 
“Probabilities of Errors of Commission in Reading Quantitative Information from Displays.” 
The recording of the information obtained involves more than just writing down the informa- 
tion. Since some skill is required in using the dividers to plot the ranges at the correct scale, 
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the HEP for recording 1s taken from the table for “Probabilities of Error of Commission in Re- 
cording Readings” is taken as the higher HEP. 

Once the fix is plotted, the navigator must assess if the course is following the desired 
track. This is analogous to a check-reading task where the navigator checks the plotted fix to 
ensure it is within tolerable limits of the desired track.* 

Given that the error in the course is detected, the conning officer must ascertain the 
correct course change to order. This can be as simple as a rudder order. While there is no 
written procedure to follow, it is assumed that when a course deviation is detected the proce- 
dure is to order a course change. The corresponding HEP is taken from “Estimated Probabili- 
ties of Error When Using Written Procedures Correctly.” 

Once the order to change course is given, the helm must properly respond to the order. 
This involves turning the wheel while watching the rudder angle indicator and the gyro re- 
peater until the ordered course is achieved. The helmsman must immediately respond and the 
procedure followed involves some skill. The standard order to the helm involves both a rudder 
angle order and a final course to steady on. The table “Estimated Probabilities of Errors in Re- 
calling Special Instruction Items Given Orally” is used. 


Table 6 - 5: HEPs for Piloting 


Number 
Read radar ranges (take a Reading a digital display 0.001 | 0.0005 - 0.005 
fix 















Uncertainty 


Plot ranges 0.001 | 0.0005 - 0.005 


5 Detect the difference error Check-reading with limits 0.001 | 0.0005 - 0.005 
between actual course and 
desired track 


| 6 | Orderacoursechange _—si| Nonpassive task error of commission | 0.003 | 0.001 - 0.01 


7 Helm responds to order Failure to recall two items given 0.003 | 0.001 - 0.01 
orall 


Once the helm responds to the order, the next event is to detect that the difference er- 
ror is eliminated, which begins the sequence of events again. Therefore, the resulting probabil- 
ity is based upon the number of fixes and assumes that the fix frequency is greater than the rate 
of departure from track.* 

Figure 6-7 implements the above probabilities in the event tree. 







53 Tn many restricted waters, the pilotage of a vessel takes on other forms of comparing actual position to de- 
sired position, such as visual ranges, parallel indexing, and relative position to a buoy. Singh [52] refers to 
qualitative estimation and quantitative measurement as the methods mariners use to determine position. For 
this analysis, it is assumed that the process of computing actual position, regardless of whether there is a 
qualitative estimation or a quantitative measurement, takes on the HEP for plotting the actual position from a 
fix,. 
*4 Tf the fix frequency was less than the rate of departure from track, then grounding is nearly inevitable since 
the ship will intersect the hazard before the fix allows an opportunity to determine the extremus situation. 
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1 2 
ACTUAL COURSE A DIFFERENCE ERROR PROBABILITY FAILURE 
DEVIATES FROM | BETWEEN ACTUAL COURSE OF 
DESIRED TRACK AND DESIRED TRACK INTEREST 
IS GENERATED 


0.002979203 Piioting Error 


0.002988168 Piioting Error 


0.000997053 Plioting Error 


0.000998051 Piloting Error 


0.00099905 Piioting Error 
0.00095 Piioting Error 


Conditionai 
0.009911524 Probability of 
Piioting Error 





Figure 6 - 7: Piloting Event Tree with Associated Probabilities 


The resulting failure probability for piloting is relatively large. However, recovery actions have 
not been considered. 

A more detailed analysis must be done to determine the failure probability when recov- 
ery and redundancy are applied. Considering a verification role for the mate and pilot in taking 
fixes and ordering course changes upon each other and the helm, the failure probability is low- 
ered. The analogous role in a nuclear power plant is that of either a second checker or an in- 
spector. Table 6-6 summarizes the events and probabilities that are added to incorporate a 
checking role in Figure 6-8. 


Table 6 - 6: HEPs for Verification Role 


Number 






Uncertainty 





0.0 





Hands-on type of checking 0.005 - 0.05 
|_8 _| Courseisverified __| Hands-on type of checking 0.005 - 0.05 
| 10 | Helm response is verified Hands-on type of checking | 0.01 | 0.005 - 0.05 





The process of actively verifying the helm reduces the probability of the helm making 
an error. From reference [58], the probability of recalling one or more instructions if a super- 
visor checks to see that the task was done is negligible. For this analysis, negligible will be in- 
terpreted as 10°. 

Incorporating the verification role for the mate and the conning officer yields a prob- 
ability of piloting error of 2.98 x 10° shown if Figure 6-8. 


71 








1 2 6 7 8 9 10 
ACTUAL COURSE A DIFFERENCE ERROR THE A CORRECT THE THE HELM THE HELM |PROBABILITY FAILURE 
DEVIATES FROM | BETWEEN ACTUAL COURSE DIFFERENCE COURSE COURSE | RESPONDS | RESPONSE OF 
PLANNED TRACK AND DESIRED TRACK ERROR Is CHANGE IS CORRECTLY | IS VERIFIED INTEREST 
IS GENERATED 


9.93068E-07 Piloting Error 


2.95829E-09 Piloting Error 
2.98817E-05 Pieting Error 
0.000997053 Pueting Errer 


0 99905 


9.98051E-06 Piloting Errer 
0.00099905 Puoting Error 
0.00095 0.00095 Pieting Errer 


Conditional 
0.002986961 Probability of 
Pillting Error 





Figure 6 - 8: Piloting Event Tree Incorporating a Verification Event 


Further verification is accounted for when the role of the Captain is considered. The 
Captain is responsible for the safe navigation of the vessel at all times. As such, the prudent 
Captain takes an active role in the piloting process. The event tree incorporating the Captain’s 
verification role is shown in Figure 6-9. The results from Figure 6-9 show that the probability 
for piloting error is 1.95 x 10°. 
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TUAL COURTA DIFFEREN! Fo CAPTAIN THE HE CAPTAI THE HELM 4 THE HELM] CAPTAIN [PROBABILITY Failure 

VIATES F EEN THE AC i} VERIFIES IFFERENC ETECTS THT C VERIFIES | RESPONDS] RESPONSE] VERIFIES of 

ANNEO TRA] AND DESIRE VERIFIED Fx ERROR IS | IFFERENC COURSE {CORRECTL IIS VERIFIED HELM Interest 
iS GENERATED. DETECTEO! ERROR jis RESPONSE) 


9 93068E-09 Pilotng failure 


0.999 
2.95829E-11 Piloting failure 


295829E-13 Piiotng failure 
2 98817E-07 Piloting failure 
0.9999 


© 0001 


9 93068E-12 Piloting failure 


2 95829E-14 Pilonng failure 


2 95829E-16 Piloting failure 
2:98817E-10 Piloung failure 
997053E-07 Pilotng failure 


9 84121E-12 Piloting failure 


2 93163E-14 Piloting tailure 


2:93163E-16 Pilonng tailure 
2 96425E-10 Pilotng fatlure 


984121E-15 Pilotng falure 


293163E-17 Pslotng failure 


2.93163E-19 Piloting tailure 
296125E-13 Piloting failure 
9 8807E-10 Piloting failure 


984121E-14 Piloting tailure 


2 93163E-16 Piloting failure 


293163E-18 Piloting faiure 
296125E-12 Piloting tailure 
0.9999 


0.0001 


984121E-17 Piloting leilure 


293163E-19 Pilonng failure 


2 93163E-21 Plionng failure 
2 96125E-15 Piiotng failure 
9 8807E-12 Piloting failure 
$398051E-08 Piloting failure 
000039905 Pilotng leilure 
000095 0.00095 Piloting failure 


Conditonal 
0.001950457 probability of 





Figure 6 - 9: Piloting Event Tree Incorporating Captains Verification Role 
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Figures 6-7 through 6-9 show how important the verification role is for each of the of- 
ficers on the bridge. A summary of the results for the piloting event tree analysis is provided in 
Table 6-7 for the varying levels of verification: 


Table 6 - 7: Summary of Piloting Failure Probabilities for Varying Levels of Verification 


Level of Verification Failure Probabilit 
None 1.38 x 107 


Mate and Conning Officer 2.98 x 10° 
Mate, Conning Officer and Captain | 1.95 x 10° 


The results show that the additional verification role reduces the failure probability by 
an order of magnitude. Since the Captain is the individual that is responsible for the vessel, 
prudence dictates a verification role because it provides an additional recovery event for failure 
of either the mate or conning officer to perform their respective verification events. The Cap- 
tain’s verification role reduces the failure probability another 30 percent. The Captain plays an 
integral role in the error detection cycle that will be modeled to allow for a recovery event after 
each of the piloting processes. The failure probability value of 1.95 x 10° will be used for 
further analysis. 

The piloting failure probability is time dependent; as the piloting process is periodic 
throughout the transit. Additionally, consideration must be made for recovery events after 
each of the piloting processes as the vessel transits the waterway. 

Consider the hypothetical waterway in Figure 6-10. The figure shows the ship’s track 
for an inbound transit. As the ship proceeds down the intended track, there can be errors in 
the piloting cycle that are not detected, however the ship is not necessarily in a failure state. 

As the ship deviates from its intended track into Region 1, there exists the ability to recover. 
Once the ship enters Region 2, however, the ability to maneuver the ship to avoid grounding 
becomes impossible.” 





35 Recall that collision is not considered. 
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Region 1: Region for possible recovery 
Region 2: Region for no recovery 





Figure 6 - 10: Hypothetical Waterway 


After each sequence of events in the piloting process, there is some probability, given 
the ship fails to correct its course to the desired track, that the crew will recognize the error 
and implement correction in the next piloting sequence. Define the error detection factor as 
the probability that the bridge team will recognize its failure in the piloting cycle before reach- 
ing Region 2. 















Error 
Detection 


Piloting 


— Process 


Finish 


Figure 6 - 11: Piloting with Recovery Flow Path 


The error detection rate can reflect the attributes of the waterway that the vessel is 
transiting. Consideration of traffic density, navigational aids, the existence of a Vessel Traffic 
Service (VTS), the quality of the VTS, the geography of the surrounding land, and the contour 
of the waterway bottom can all influence the error detection factor and the piloting process. 
For simplicity, it is assumed that the proximity of the planned track to a shoal has the largest 
impact, and that impact can be captured in the error detection factor. Therefore, the error de- 
tection factor is path dependent. As a result, this value becomes the most subjective value 
used in this analysis. 

From reference [58], the nominal checking probability provides the basis for determin- 
ing a value for the error detection factor. The lower limit is chosen as the error factor because 
of the many cues available to the mariner to recover. Given this failure probability, the event 
tree (Figure 6-12) is constructed from the flow chart of Figure 6-11. 
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Initiate Piloting Error Probability 
Sequence | Sequence | Detection 
Success 


Success 


0.005 0.000015 Failure 





Figure 6 - 12: Piloting and Recovery Event Tree 


Implicit in the above model, is that the probabilities remain constant through each suc- 
cessive cycle. This is questionable, because as the bridge team fails on one cycle, it is plausible 
that the likelihood for failure on the next cycle is higher. However, without any data it is diffi- 
cult to predict. Additionally, the model presumes a path dependent error detection factor. For 
this analysis, the error detection factor is held constant.*° This is done for purposes of illus- 
trating the analytic method, and recognizing that further elaboration would be unjustified in the 
face of poor data. 

The resulting probability of piloting failure is an error rate that is the product of the pi- 
loting error and recovery factor. 


P(piloting failure rate ) = P(piloting error) per piloting cycle x Error Detection (6-9) 
= 0.00198 per piloting cycle x 0.005 
= 9,90 x 10° per piloting cycle 


Piloting cycle = 3 minutes 


P(piloting failure rate) = 3.3 x 10° per minute 


For time dependent functions, the probability of failure of the system as a function of 
time can be defined by the unreliability function F(t). The unreliability function is determined 
by integrating the probability density function (pdf) f(t), which characterizes the behavior of 
the system. 

The exponential distribution used to describe a pdf is given as follows: 


f(t) = Ae? (6-10) 


2X. = rate of failure = the probability that the system will fail between t and t + A (6-11) 


The hazard rate h(t) is the probability of the first and only failure of an item in the next instant 
of time, given that the item is presently operating. One of the characteristics of an exponential 
distribution is the constant hazard rate with time: 


* Conceptually, the waterway can be broken down into regions. Each of the regions proximity to a shoal is 
reflected in the error detection factor. For this analysis, the waterway is considered one continuous region. 
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h(t) =2 (6-12) 


Let the piloting failure rate be represented by the rate of failure A. Then the unreliabil- 
ity function is determined as follows: 


t 
F(t)= | fle) d(e) 
0 (6-13) 


F(t) =1-e” (6-14) 


The probability of piloting failure is now given as F(t). The probability of piloting fail- 
ure along the track is determined by evaluating F(t) at the time of interest. The behavior of the 
unreliability over time is shown in Figure 6-13. 


0.02 
Piloting failure(t) 0.01 


0 
40 60 80 100 
time (hr) 


Figure 6 - 13: Piloting Unreliability versus Time 


6.3 Drift Grounding 


The drift grounding portion of the grounding fault tree is shown in Figure 6-14. In or- 
der for a drift grounding to occur, all of the failure conditions must be present: 


1. Unsafe wind/current: the prevailing winds and currents must be such that 
the environmental forces exerted on the vessel tend the vessel towards an 


grounding hazard. 


2. Assistance failure: there is either a failure to request assistance or the assis- 
tance fails to tend the vessel away from a grounding hazard. 


3. Anchor failure: there is failure to let-go the anchor or a failure of the an- 
chor in preventing the vessel from tending towards a grounding hazard. 
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4. Loss of steerage way: the ship is unable to proceed with directional stability 
due to either a loss of steering or propulsion. 


DRIFT 
GROUNDINO 


ASSIS TANCE 
FALURE 
UNSAFE 
WIND/CURRENT 
LOST way 
ANCHOR FAILURE 


ISNOT 
REQUESTED 
Lost 
fANCHOR NOT eaxCietatescne LOST STEERINO 
ASSISTANCE CONSIDERED 
1S 
Roy INTENANCE| {OPERATIONAL 
ENVIRONMENTAL 
- CONSTRAINTS 
ASSISTANCE eS Ge) e 
UNABLE TO PUT gay REPAB MAINTENANCE) [OPERATIONAL 
SHIP ON SAFE ERROR ERROR 
ASSISTANCE TRACK 
ARRIVES 
MAINTENANCE) [OPERATIONAL 
MATERIAL UNABLE TO 
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Figure 6 - 14: Drift Grounding Fault Tree 


6.3.1 Wind and Current 


In order to assess the wind and current issues, there must be an analysis of the prevail- 
ing winds and currents in the area of concern. This data is dependent upon location. 
For this analysis, the probability will conservatively be assumed to be 1.0. That is, the wind 
and current are such to always force a drifting vessel towards a shoal. 


6.3.2 Rescue and Assistance 


Salvage, in its most immediate form, consists of assistance rendered to a vessel that has 
suffered a casualty and is unable to continue by its own efforts [13]. Traditionally, the size of 
the salvage market has been dependent upon the size and age of the world fleet [13]. How- 
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ever, public sensitivity towards pollution and the threat posed by oil tankers have introduced 
other factors into the salvage market. The salvage industry has been subjected to rising opera- 
tional costs, growing competition, and static revenue. As a result, the worldwide spread of 
salvage hardware is patchy [13], leaving a questionable availability in some areas should a cri- 
sis OCCUTr. 

Under the 1989 International Convention on Salvage, the 1990 International Conven- 
tion on Oil Pollution Preparedness, Response and Cooperation, and OPA 90, greater emphasis 
is placed on dealing with the problem of pollution prevention. 

Currently, few dedicated tugs exist worldwide for these purposes [66]. In most areas, 
the industry is constrained by a system that relies upon “tugs of opportunity” to provide assis- 
tance. This system is bounded by the availability, capability, and expertise of the tugs within a 
response area [66]. To address the system constraints, there is a momentum towards legislat- 
ing dedicated rescue tugs and/or escort tugs. 

The primary mission of a rescue or escort tug is to provide emergency rescue services 
for disabled tankers. The objective is to prevent oil spills from disabled tankers that are in 
imminent danger of grounding. Escort vessels can be the last line of defense in preventing a 
tanker spill accident resulting from either a loss of power or steering. 

The fundamental event tree for a ship requiring assistance is as follows: 


REQUEST | ASSISTANCE | ASSIST SHIP | VESSELIS 
ASSISTANCE ARRIVES TIES UP PUT ON 
SAFE TRACK 
Ss 





Figure 6 - 15: Assistance Event Tree 


Probably the largest contribution to an assistance failure, is the failure to request assis- 
tance in time. Once the bridge team recognizes that assistance is required, the stress level is 
extremely high. History has shown that captains will take calculated risks by delaying contact- 
ing assistance in hope of remedying the situation with organic assets. Well known accidents 
such as the Amoco Cadiz and the Transhuron typify the concerns of many captains when faced 
with a situation in which they perceive the receipt of a “bad mark” if they call for assistance 
when the possibility of restoring the ship to a safe condition still exists in their minds. 

Reference [58] documents the probability of error for extremely high stress as being 
0.25. Since the resource are not available to determine the probability for assistance arriving 
and tying up correctly, the 0.25 value will be used. 

Currently, escort tugs are required for loaded tankers in Prince William Sound, Puget 
Sound and San Francisco Bay. Escort by means of a tug tethered to the stern of a tanker to 
permit rapid response to a steering or propulsion casualty is the typical implementation of the 
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escort legislation [27]. The preventive measure of having a suitable tug tied to the stern of a 
tanker removes the system boundaries of availability and capability. The event tree reduces to 
the probability of the escort tug being able to keep the tanker on a safe track. 

The application of escort tugs is for restricted waters. For approaches to restricted 
waters, tankers do not have an escort. To address the issues of availability and capability, 
some regions have implemented a dedicated rescue tug. A dedicated rescue tug remains on 
station in the area of concern. By being on station, the tug is always available. It is able to 
respond to a tanker in distress within a reasonable time frame. 

A study by Robert Allan Ltd. [47] has been done to try to estimate the effectiveness of 
escort tugs in preventing accidents. The study surveyed casualty databases of Canada and the 
U.S. to determine accidents involving the interaction of tugs with ships greater than 5,000 
gross tons and tugs. Utilizing the accident quotient to approximate the failure probability: 


Accident Quotient = Number of Groundings 
Number of Vessel Movements (6-15) 


The following table summarizes the results of reference [47] which resulted in groundings to 
determine the accident quotients: 


Table 6 - 8: Tanker-Tug Grounding Accidents 


Vessel Movements Groundings Quotient 


Channel WeightedMean| | S.1x10* | 
Standard Deviation| sd 4.8 x 10° 


From the above table, the failure of a dedicated escort tug in preventing a grounding is 
assumed to be 5.0 x 10°. 

Based upon the limited analysis done above, the differences in the probability of an as- 
sistance failure varies from 2.5 x 10° without dedicated rescue tugs to 5.0 x 10° with dedi- 
cated rescue tugs. 





Bay of Fund 60,000 i Oe ae 02 


6.3.3 Anchor Failure 


Tankers will have two anchors. Anchors on large tankers can weigh as much as 50,000 
pounds each. Unfortunately, as ships have gotten larger, the proportionate sizes of anchors 
have decreased. The ratio of the anchor weight to the deadweight tonnage has dwindled from 
about 0.6 to 0.2 [7]. The anchors of large tankers are suitable for anchorage in designated ar- 
eas, but with any significant way on the ship when dropping anchor, the momentum can be- 
come too great for the anchor system. According to reference [11], for a large vessel, speed is 
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the most significant factor to consider if an anchor system is used to stop the ship. DNV [11] 
concludes that at speeds greater than 1 knot, the anchor system will fail if it is deployed. 

It is difficult to ascertain any valid statistical data relating to anchor failure. A query of 
the CASMAIN database reveals 58 vessel casualty reports between the years 1981 and 1991 
where a cause was attributable to a dragging anchor. This represents less than 0.1 percent of 
all the vessel casualties recorded. Of these 58 vessels, only 12 are tankers. The nature of the 
query limits causality to post letting-go anchor failure, where the nature of the failure can be 
attributed to unfavorable environmental constraints. 

An additional query of ground-tackle material failure revealed another 15 tanker acci- 
dent reports. These failures give an indication of the material failure rate of tanker anchor 
system. 

It is impossible to assign any failure data to either maintenance or operational errors. 
Based upon 4 of the total 27 tanker accidents, attributed to some form of failure of the anchor 
system, which took place in the New Orleans/Baton Rouge waterway over the 11 year cover- 
age of the CASMAIN database, a rough order of magnitude estimate of anchor failure rate is 
assumed. The average number of tanker trips in the New Orleans/Baton Rouge waterway over 
the years 1986-1990 was 2,765 trips. If this average is assumed for the 11 years for which the 
database covers, a total of 30,415 trips results. If this value is divided into the 4 anchor failure 
accidents occurring in this waterway, then an accident quotient of 1.3 x 10~ results. 


Anchor Failure Accident Quotient = Number of Anchor Failures 
Number of Transits (6-16) 


Table 6 -9: Anchor Failure Accident Quotient 


Total Assumed Tanker Transits for New Orleans/Baton Number of Anchor Accident 


Rouge (1981 through 1991 Failures Quotient 


30,415 ae Paes ea 





Based upon the above accident quotient, the probability of anchor failure will be as- 
sumed to be 1.3 x 10%. This estimate is quite conservative, and based solely on the traffic 
within the New Orleans/Baton Rouge waterway. 

Unfortunately, it is nearly impossible to extract from the database those cases where an 
accident occurred because the anchor was not considered. The grounding of the Braer is clear 
example where consideration for dropping the anchor could have significantly impacted the 
results of that tragedy. Because accidents do occur as a result of failing to consider the an- 
chor, a failure probability needs to be assigned to this basic fault. 

Failure to consider dropping the anchor is a failure related to administrative control in 
reference [58]. This refers to the organizational structure, both real and perceived, that moti- 
vates the operator to make the right decisions and to follow policy and procedures. The situa- 
tion that may require dropping the anchor is stressful. Based on an extremely high stress level, 
an HEP of 0.25 is assigned to this basic fault. 
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The probability of an anchor failure is dominated by the HEP of 0.25 for considering 
the anchor in time to be effective. Therefore, the probability for anchor failure is considered to 
be 0.25. 


6.3.4 Lost Way 


The loss of way is broken down into two categories: loss of propulsion, and loss of 
steering. Like the operations on the bridge, many of the failures related to loss of propulsion 
and loss of steering can be traced to human failure and individual error. Time precludes per- 
forming a detailed analysis of the engineering plants, yet this is an area that warrants further 
investigation. On a recent tanker visit, the engineering department was provided with neither 
operating, nor casualty procedures. 

Figure 6-16 shows the number of lost way incident per year from 1981 through 1991.*’ 
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Figure 6 - 16: Tanker Lost Way Incidents (1981-1991) 


*7 Based on a search of the CASMAIN database, the results show all steering failures and propulsion train inci- 
dents include material failure of: 
1. Main Engines 
2. Boiler 
3. Main Steam System 
4. Feed and Condensate System 
5. Fuel Oil Supply 
6. Lube Oil Supply 
7. Main Generator 
8. Reduction Gear 
9. Shaft System 
10. Propeller 
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In order to estimate the probability of a loss of way incident, the number of incidents 
over a given time period is compared to the number of tanker transits. Table 6-10 summarizes 
the results. 


Lost Way Accident Quotient = Number of Lost Way Incidents 
Number of Transits (6-17) 


Table 6 - 10: Lost Way Accident Quotients 


Port Tanker 
Transits 


8708 5.74 x 107 1.15 x 10% 
10,133 2.96 x 107 9.87 x 10° 


Baton Rouge 


[Total | 32,666 1 36 sf 0x10" [14 | 4.29 x 10% 


Since the failure rate is dependent upon the transit length, a rough estimate of the near- 
land transit length for each port is included in the following table: 


Propulsion 
Failures 


Propulsion 
Failure 
Accident 
Quotient 


Steering 
Failures 


Steering 
Failure 
Accident 
Quotient 






























Table 6 - 11: Approximate Coastal Transit Length (miles) 


Approximate Transit Miles 


Valdez 


40 
New Orleans/Baton Rouge 





The aggregate failure probabilities are divided by the total number of transit miles of 
340 mi. to approximate the failure probability per mile. 


Table 6 - 12: Lost Way Failures per Mile 


Propulsion Failure 


Steering Failure Steering Failures 






Propulsion Fail- 













Probabilit Probabilit ures per Mile per Mile 
iicxlo 866 Cd «29 x 10° 3.24 x 10° 1.26 x 10° 





The probability per mile of having a loss of way accident becomes the sum of the two 
probabilities (assuming independence and the rare event approximation). Therefore, the prob- 
ability of having a loss of way accident becomes 4.5 x 10° per mile. If this is multiplied by the 
ships speed to put it into a function of time, the value can be considered a constant hazard rate 
function. 
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Recall: 
f(t) = re? (6-18) 


d = rate of failure = the probability that the system will fail between t and t + A (6-19) 


Let the rate of failure be equal to the probability per mil times the speed of the ship. 


s = speed 
X= rate of failure = 4.5% s 
h(t) = =4.5° 5 (6-20) 
t 
FQ) = | f(e) d(e) 
0 (6-21) 
F(t) = 1 - ec) = 1 - Post (6-22) 


The behavior of the unreliability over time (assuming 10 kts) is as follows: 


0.006 


0.004 
Lost_way(t) 
0.002 


0 


time (hr) 


Figure 6 - 17: Lost Way Unreliability versus Time 


6.4 Summary of Probabilities 


The probabilities that were determined from both event trees and historical data are 
summarized in the Table 6-11. 

To evaluate the overall probability of grounding the powered grounding and drift 
grounding fault trees will be reduced to incorporate the above values. 
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Table 6 - 13: Summary of Grounding Probabilities 


Powered Grounding: 
Faulty Passage Plan 
Faulty Planning Information 
Piloting Error 


Drift Grounding: 
Sufficient Wind/Current 
Assistance Failure 
Anchor Failure 
Lost Way: 





6.5 Fault Tree Reduction 


The grounding fault tree has been inductively and deductively constructed for clarity in 
order to determine the basic faults of grounding accidents. Because the basic faults have now 
been identified, reduction of the fault tree will make the connection between the probabilities 
and the fault tree clearer. By incorporating Boolean identities, the fault tree can be reduced to 
a simpler expression. 


6.5.1 Powered Grounding Fault Tree Reduction 


From Figure 6-2, the Boolean expression for powered grounding is: 


P(powered grounding) = P(desired track is unsafe) 
+ P(course deviates from safe desired track) (6-23) 


P(desired track is unsafe) = P(errors made in planning track) 
+ (P(no errors made in planning track) 
* P(planning information is not accurate)) (6-24) 


P(course deviates from safe desired track) = 
P(difference error is not detected) 
+ (P(difference error is detected) 
* P(insufficient action to eliminate the error) (6-25) 


By recognizing the P(errors made in planning track) is the negation of P(no errors in 
planning track) in equation (6-24), and likewise for the P(difference error is detected) and 
P(difference error is not detected) in equation (6-25), then equations (6-24) and (6-25) reduce 
through Boolean identities to the following: 


P(desired track is unsafe) = P(errors made in planning track) 
+ P(planning information is not accurate) (6-26) 
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P(course deviates from safe desired track) = 
P(difference error is not detected) 
+ P(insufficient action to eliminate the error) (6-27) 


The piloting event tree incorporates all of the information contained in Equation (6-27). 
Rather than dissect the event tree, it is easier to equate the results of the event tree to the 
probability of the course deviating from a safe desired track. Therefore: 


P(course deviates from safe desired track) = P(piloting error) (6-28) 
Utilizing the reductions, the expression for the probability of a powered grounding is: 


P(powered grounding) = P(errors made in planning track) 
+ P(planning information is not accurate) 
+ P(piloting error) (6-29) 


By assuming independence and the rare event approximation, the above Boolean ex- 
pression becomes the sum of the probabilities. 


P(powered grounding) = 7.005 x 10° + 1.0 x 10% + (1-e°°™™*) (6-30) 


6.5.2 Drift Grounding Fault Tree Reduction 


The fault tree for drift grounding is shown in Figure 6-14. The methodology used to 
determine the probabilities for the elements of drift grounding limits the values to estimates 
that represent the first level of the drift grounding fault tree: 


P(drift grounding) = P(unsafe wind/current) 
* P(assistance failure) 
* P(anchor failure) 
* P(lost way) (6-31) 


The probability of lost way is the only term broken down to another level: 


P(drift grounding) = P(unsafe wind/current) 
* P(assistance failure) 
* P(anchor failure) 
* (P(lost propulsion) + (P(lost steering)) (6-32) 


Again, by assuming independence and the rare event approximation, the probability for 
drift grounding becomes an expression of products: 


P(drift grounding) = 1.0 x 0.25 x 0.25 x (1-e° °°") (6-33) 
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6.6 The Probability of Grounding 


The probability of grounding is approximated as the sum the probabilities for drift 
grounding and powered grounding: 


P(grounding) = P(powered grounding) + P(drift grounding) 


= 1.7 x 10% + (1 - OO) + (6.25 x 107) x (1 - OO) (6-34) 


Figure 6-18 graphs the powered grounding, drift grounding, and the grounding prob- 
abilities against time. From this figure it can be seen that powered grounding dominates the 
contribution to the probability of grounding. 
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Figure 6 - 18: Grounding Probabilities with Time 


6.7 Summary 


The resulting probability for grounding is dominated by the piloting process in the 
powered grounding mode of failure. This is confirmed by the CASMAIN database, which at- 
tributes only 15 cases of 716 tanker groundings to either steering failure, or propulsion failure. 
This analysis seems to overestimate the probability of powered grounding based upon statisti- 
cal data. However, mariners tend to operate by allowing large margins for error, it may be that 
errors occur, but the allowed margins mitigate any adverse consequences. At the same time, 
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continuous errors in these margins do not provide sufficient feedback to the mariner. As a re- 
sult, the wrong behavior is repeated until the margin no longer exists to impede the inevitable 
adverse consequences. 

The method to determine the probability of powered grounding, while simplistic, is 
systematic. Because each of the processes are broken into a sequence of events, a sensitivity 
analysis of each event over the range of uncertainty can show those areas where the greatest 
potential for reducing the probability of grounding exists. Likewise, those areas can be identi- 
fied that produce the greatest potential for the increase in grounding probability. Once identi- 
fied, policy makers are able to make rational decisions regarding the allocation of limited re- 
sources to reduce the possibility of grounding and ultimately minimize the outflow of oil into 
the environment. 
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Chapter 7 Evaluations and Conclusions 


7.1 High-Leverage Factors 


In order to determine those events that offer the largest potential for improving the 
failure probabilities requires a sensitivity analysis. Once performed, the high-leverage factors 
can identify risk reduction areas, and resources allocated to promote reducing the probability 
of grounding, or at least to implement measures to prevent increasing the probability. For the 
grounding event, powered grounding is shown to be the significant contributor. A sensitivity 
analysis of the event trees incorporated in the powered grounding analysis identifies the high- 
leverage factors. 


7.2 Powered Grounding Sensitivity Analysis 


Recall that the three major elements for determining the probability of powered 
grounding are: planning, planning information, and piloting. The high-leverage factors are de- 
termined by varying each of the probability events in the event tree over the range of uncer- 
tainty. The results of the sensitivity analysis are displayed in Appendix D. The following para- 
graphs summarize a sensitivity analysis to determine which factors within these elements war- 
rant further consideration 


7.2.1 Planning Failure Sensitivity 


The sensitivity analysis of the planning event tree yields three events that can signifi- 
cantly affect the probability for implementing a faulty plan. Recall that the event tree analysis 
resulted in a mean probability for implementing a faulty plan of 7.005 x 10%. The effect of 
each high-leverage event on the probability for implementing a faulty plan at the low-end and 
high-end of the uncertainty is summarized in Table 7-1. 


Table 7-1: Planning Failure Event Tree High-Leverage Factors 


Event Percent Deviation from the Mean | Percent Deviation from the Mean 
Probability at the Low-End of Probability at the High-End of 
Uncertaint Uncertaint 


check publications for changes 100% 
100% 
4900% 
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From Table 7-1 it can be seen that the events that offer the largest improvement are: 
1. Captain’s verification. 
2. Checking publications for changes in the waterway. 
3. Properly determining the voyage waypoints. 


For voyage planning, it is essential to begin with the correct information by checking 
publications, incorporating the changes on the charts, and determining the correct waypoints. 
The most important event is that of verification. The captain’s verification event has an impact 
on the complete planning process. 

While these factors offer the greatest potential for improvement, over the range of un- 
certainty, they offer a greater potential for increasing the probability of failure. This empha- 
sizes the importance of navigation fundamentals and the captain’s role in verifying that the 
track meets imposed constraints. 

When the probability of faulty planning information is included in the sensitivity analy- 
sis, Table 7-2 results in the sensitivity for failure to implement a correct track. 


Table 7-2: Planning Failure Event Tree (incorporating the probability 
for faulty information) High-Leverage Factors 


Event Percent Deviation from the Mean | Percent Deviation from the Mean 
Probability at the Low-End of Probability at the High-End of 
Uncertaint Uncertaint 


check publications for changes 41% 


2018% 
utilize faulty information 529% 





It can be seen from Table 7-2 that over the range of uncertainty, faulty navigational 
information offers the greatest potential for improving the failure probability. 


7.2.2 Piloting Failure Sensitivity 


Table 7-3 shows the affect of the high-leverage piloting events on the overall probabil- 
ity for a piloting failure determined from the event tree that incorporates the captain’s verifica- 
tion role. 
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Table 7 - 3: Piloting Failure Event Tree High-Leverage Factors 
(incorporating Captain’s verification role) 


Event Percent Deviation from the Mean Percent Deviation from the Mean 
Probability at the Low-End of Probability at the High-End of 
Uncertaint Uncertaint 


205% 


To gain further insight into the scope of the potential for the high-leverage factors, an 
additional sensitivity analysis for the event tree that does not incorporate the captain’s verifica- 
tion role is considered. The following table summarizes the results. 






Percent Deviation from the Mean 











Table 7 - 4: Piloting Failure Event Tree High-Leverage Factors 
(without captain’s verification role) 
Event Percent Deviation from the Mean 
Probability at the Low-End of Probability at the High-End of 
Uncertaint Uncertaint 










135% 
the difference error is detected 135% 


From the previous two tables it is seen that the most sensitive events are also the most funda- 
mental events to piloting and navigation: 


1. Generating a difference error. 
2. Properly taking a fix. 
3. Detecting a difference error from the plotted fix. 


Reductions in piloting error are dominated by the accuracy and reliability of the navi- 
gational equipment (a difference error is generated) and fundamental piloting techniques (fix is 
taken and a difference error is detected). Regardless of any verification processes, if these 
fundamental events fail, then there is a significantly higher probability of failure. The sensitivity 
analysis captures the fact that a lot of coastal piloting is done by experience and line-of-sight 
piloting, rather than actual plotting. Therefore, regardless of the methods used to determine 
the ship’s position, if the conning officer is unable to detect that the ship has deviated from the 
desired track then the potential for grounding increases. 
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7.3 Recommendations 


The results of the sensitivity analysis identifies those high-leverage factors that have 
potential for impacting the probability for powered grounding: 


1. Planning: Check publications for changes 
Determine waypoints properly 
Captain Verify Plan 


2. Planning Information 


3. Piloting. Difference error is generated 
Take fixes properly 
Difference error is detected 


The salient question remains: “What measures will effectively and efficiently influence 
the high-leverage factors to reduce the probability of grounding?” 
Recall that the constituents of human failure are: 


1. Sub-systems. 
2. Procedures. 

3. Organizations. 
4. Environment. 


5. Individuals. 


7.3.1 Sub-System Improvements 


Within the confines of sub-systems there is a technology that can promote a reduced 
probability for powered grounding. Recall however, that the implementation of technology, 
alone, does not result in a reduced failure rate. Because the technology must interface with the 
individual, the technology must be implemented without increasing the complexity of the sys- 
tem, while ensuring that operators understand the technology and its limitations. 

The potential for ECDIS, if implemented properly, to reduce planning errors is great. 
Its implementation can include the automatic update of charts via satellite, process meteoro- 
logical data, incorporate individual vessel characteristics to plan voyages and optimize those 
voyages for either time or fuel considerations. It must be recognized though, that the output is 
only as good as its input, and the National Oceanic and Atmosphere Administration (NOAA) 
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has neither the plans nor the money to implement an updated survey program for the coastal 
waterways of the U.S.** 

The potential for ECDIS to improve the piloting error in coastal waterways is also 
significant. If properly integrated with Differential GPS, it can provide automatic warnings to 
navigational hazards. The use of DGPS can significantly increase the probability of detecting 
any deviations from a safe track. 

The USCG conducted a simulator experiment to evaluate the effectiveness of the mari- 
ner’s use of ECDIS in a restricted maneuvering situation [9]. The conclusions were that 
ECDIS increased safety by both decreasing the magnitude of the ship’s deviation from the 
planned track and increasing the proportion of time that the mariner allocated to collision 
avoidance and looking out for hazardous situations. In general, ECDIS provided the mariner 
with a greater situational awareness [56]. The contribution of ECDIS to the safety of naviga- 
tion was confirmed in sea-trial experiments [18]. 

The integration of ECDIS into the ship’s radar system, DGPS, and a satellite link to 
incorporate the updating of coastal waterways can reduce the probability of powered ground- 
ing. This is accomplished by significantly reducing the impact of the high-leverage factors 
identified in the piloting process. 

As a caveat, it was found that the effect of a failure of the ECDIS capability of auto- 
matically updating the ship’s position increased the number and magnitude of deviations from 
the planned track [9]. Therefore, issues of reliability need to be resolved with possibly the in- 
clusion of redundant systems and prudent secondary means of positioning.” A fully integrated 
system has to potential to present the mariner with too much information and increase the 
complexity of the navigational task. The interface of the integrated ECDIS system must be 
designed ergonomically. 


7.3.2 Organizational and Procedurai Improvements 


In conjunction with emerging technologies, there must be corresponding attention 
given to the organizational aspects of utilizing that technology. 

The organizational impact on human failure has the potential to be significantly reduced 
through implementation of the International Safety Management Code (ISM). In a move away 
from the traditional hardware requirements, the IMO has mandated the ISM to include the hu- 
man aspects associated with both vessel and shoreside management. The ISM requires vessels 
to carry a Safety Management Certificate, and operating companies to have a Document of 
Compliance.” Ships will be retained in port for not producing the necessary documents. 

As the preamble to the ISM states [23]: 


38 Personal conversation,Larue E., USCG. May 3,1996. 
*° The grounding of the Royal Majesty presents a situation where the satellite positioning system malfunctioned 
and no one on the bridge was vigilant enough to confirm the vessel’s position. 
“ The International Management Code for the Safe Operation of Ships and for Pollution Prevention 
(International Safety Management Code) was adopted by the IMO in 1993. It becomes mandatory for tankers 
over 500 gross tons in July, 1998. 
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The cornerstone of good safety management is commitment from the top. 
In matters of safety and pollution prevention it is the commitment, compe- 
tence, attitudes and motivation of individuals at all levels that determines 
the end result. 


The ISM offers broad guidelines for implementing a safety management system that incorpo- 
rates the following objectives [23]: 


1. Provide for safe practices in ship operation and safe working environment. 
2. Establish safeguards against all identified risks. 


3. Continuously improve safety management skills of personnel ashore and 
board ships, including preparing for emergencies related both to safety and en- 
vironmental protection. 


The intent of the IMO is to provide a framework for a safety management system that 
will furnish the impetus for better policies and procedures, thereby creating a more suitable 
environment for the mariner and producing more motivated, knowledgeable, and safer crews. 

Once risks are identified, ISM provides the tool to successfully manage those risks. 


With sensitive natural resources potentially affected by poor management of 
risk, it is axiomatic that a vessel owner or operator adhere to a management 
model which minimizes marine environmental risks and ensures compli- 
ance with all applicable laws [65]. 


The existence of a management policy is not sufficient. To be effective, the policy must 
be active. A study conducted by the UK P&I Club [61] has shown that an active management 
policy: 

1. Reduces the distance between operator and employee. 
2. Increases crew loyalty. 
3. Improves manning level compliance. 


4. Improves manning qualifications. 


In general, the an active management policy, such as the ISM, has the potential to in- 
crease the understanding of responsibilities and systems; therefore, better performance. 


7.4 Conclusions 


Tankers are the largest contributor by vessel type to the worldwide oil spill volume and 
the grounding of tankers represents a significant failure state contributing to the total acciden- 
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tal oil outflow of tankers. A systematic approach has been undertaken to gain an insight into 
the factors that contribute to the grounding event. The fault tree/event tree method for de- 
termining the probability of grounding has been used to identify the significant basic faults. 

The human element in maritime accidents has been shown to be a major contributor. 
The THERP analysis provides the tool to gain an understanding into the tasks that the mariner 
performs. From the task analysis, the high-leverage factors are identified. 

Recognizing that individual errors are a subset of human failures, which are a subset of 
system failures, effective reductions in the individual error rate must encompass total systems 
approach. 

While the approach has been simplistic in nature, the methodology is sound and proven 
in the nuclear industry. Because of the limited resources available some assumptions taken 
give rise to the validity of the absolute value for the probability of grounding. However, it 
does serve to give a relative value and indicate areas for improvement. 

Specific areas for improvement lie within the domain of sub-systems, the organization 
and procedures. An integrated ECDIS system seems to offer significant potential to reduce 
piloting and planning errors, while ISM offers a framework to enhance safety within the mari- 
time industry and provides an impetus to facilitate the flow of information and provide incen- 
tives; thereby increased performance. Additional improvements have been shown to be re- 
quired in the surveying of coastal waterways. 


7.5 Areas for Further Research 


The task analysis encompassed in the event trees, while systematic, is simplistic due to 
the nature of the study. A more detailed task analysis in the framework of the event tee ap- 
proach can give more insight into the piloting task. This research can take the form of simula- 
tor experiments in order to capture the HEPs that are particular to the mariner. 

Accident investigations tend to invoke stop rules. A study of the essential elements of 
an investigation, within the framework of a PRA, can allow investigators to collect essential 
data so that feedback can provide valuable data to assist in identifying areas for risk reduction. 

This thesis has concentrated on a level 1 analysis within the proposed risk model. Fur- 
ther work to expand the analysis to levels 2 and 3 can offer the appropriate risk; that is, incor- 
porating the impact of the accident with the probability of the accident. 


95 








Appendix A_ Boolean Algebra and Probability Theory 


Boolean Algebra 


Fault trees graphically show the logical relationship between various faults and the top 
event. Boolean algebra is an appropriate tool to represent the fault tree in mathematical form 
in order to facilitate quantitative analysis. 


Table A - 1: Laws of Boolean Algebra 


A*B=B*tA Commutatative Law 
A+B=Bt+A 

A*(B*C)=(B* OC*A Associative Law 
A+(B+C)=(A+B)+C 


A*(B+C)=A* BtA*FC Distributive Law 
A+B*C=(A+B)* (A+C) 


A*A=A Idempotent Law 
At+tA=A 


Complementation Law 


A*A=0 
A+A=1 


A*(A+B)=A Absorption Law 
A+(A*B)=A 


ye DeMorgan’s Theorem 
(A* B)=A+B 





Laws of Probability 


Boolean equations can then be evaluated using the laws of probability. The Boolean 
symbols “+” and “*” represent the OR and AND operations respectively. These operations 
respectively correspond to the union and intersection operations. 
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Union 
Boolean Expression: C=A+B 
Probability Expression: P(C) = P(A) + P(B) - P(A * B) 


Intersection 

Boolean Expression C=A*B 

Probability Expression: 
Independent: P(C) = P(A) * P(B) 
Dependent: P(C) = P(A) * P(BIJA) 


Probabilities of dependent events can be evaluated using Baye’s theorem: 


For two events A and B, 
P(A) =the probability of event A. 
P(B) = =the probability of event B. 
P(A|B) =the probability of event A given the occurrence of event B. 
P(B|A) =the probability of event B given the occurrence of event A. 
P(AB) = the probability of event A and B. 


Utilizing set theory, P(AB) is the intersection of the two events: 
P(B/A) is concerned with the darkened part of Figure 5 and is the ratio of the area 
(AB) to the total area A, that is: 


P(BIA) = P(A * B) (1) 
P(A) 


By symmetry it-may be shown that: 


P(A|B) = P(AB) (2) 
P(B ) 
Solving for P(A * B): 
P(A * B) = P(A)P(BIA) = P(B)P(A|B) (3) 


“| The notation P(A|B) denote the dependent probability of event A occurring, given the knowledge that even B 


has occurred. 
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Figure A- 1; Venn Diagram 


Rare Event Approximation 


The rare event approximation, also known as the small probability approximation, is 
applicable when the intersection probability, P(A * B), is much smaller than the individual 
probabilities, P(A) and P(B), generally, 0.1. Utilizing the rare event approximation, the union 
operation is approximated as follows: 


Union 
Boolean Expression: C=A+B 
Probability Expression: P(C) = P(A) + P(B) 


Generalized Probability Equations 


The generalization of the probability equations to 7 events is as follows: 


Union 
P(A; + Az +... + An) = [P(A1) + P(A2) +... + P(A,)] 
- [P(A1A2) + P(A1As) +... Pi(AiA)] 
+ [P(A;A2A3) + PA1A2Ay) +... + Pisjea(AiAjAx)] 


In - 1[P(A1A2...An)] 
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Utilizing the rare event approximation: 


P(A; + A, +... + A,) = P(A;) + P(A2) +... + P(A,) 
Intersection 


Dependent: 
P(A,A;...A,,) = P(A;)P(A2|A1)P(A3|A;A2)...P(A,|A1A2...Aq-1) 


Independent: 
P(A,A;...A,) = P(A;)P(A2)...P(A,,) 
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Appendix B-_ Developing the Grounding Fault Tree 


To develop the fault tree for groundings, it must be recognized that a grounding is 
caused by the ship entering an area where the draft exceeds the depth. It becomes necessary to 
determine why the ship has encountered that situation. Fundamentally, the ship can either fol- 
low a safe track or an unsafe track. An unsafe track necessarily intersects a hazard. (The haz- 
ard is that encounter where the draft exceeds the depth.) 

A vessel can survive in a failure state if it does not intersect a hazard. Interest lies only 
in the case where the infinite possible combinations of integrating the velocity vector result in 
the final position of the ship the same as the hazard: 


t(destination) 
| v(t) dt —~ Xhazard~ X initial 
t(origin) (B-1) 


Given that the grounding failure state is the state of interest, the ship is following an 
unsafe track. Because the ship is proceeding down an unsafe track, there are two concerns to 
investigate: 


1. The ship is able to follow a safe track 
2. The ship is unable to follow a safe track. 


If the ship is able to follow a safe track, then a determination must be made of why it is pro- 
ceeding down an unsafe track. Figure B-1 depicts these concepts in the fault tree. 





Figure B - 1: Basic Grounding Fault Tree 
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By deductively reducing each successive step in the top-down approach, the fundamen- 
tal causes of groundings can be understood and evaluated. Continuing with these seemingly 
rudimentary steps in order to determine successive causes will create the complete fault tree. 
The process of developing the fault tree is subsequently described. 


The Actual Course Follows an Unsafe Track 


The ship’s actual course is following an unsafe track, yet there is nothing physically 
preventing the ship from following a safe track. Thus, two options can be deduced: 


1. The desired track is unsafe. 
2. The course has deviated from a desired safe track. 


Given that the ship is capable of following a safe track, then, when the desired track intersects 
a hazard, causality is constrained to the planning process. However, when the ship’s course 
deviates from a desired safe track to an unsafe track, causality is constrained to the piloting 
process. 


The Desired Track is an Unsafe Track 


It is necessary to determine where in the planning process that the desired track be- 
comes coincident with an unsafe track leading to a grounding. The coincidence of a desired 
track and a grounding track can occur under two different scenarios: 


1. Properly planned track: the process of planning has been completed satisfac- 
torily. 


2. Improperly planned track: errors have occurred in the planning process 


Planning includes both the initial voyage planning, and the dynamic planning which is 
done as a result of external conditions imposing new constraints. 

The importance of proper planning can be illustrated through the use of the navigation 
control model. Clearly, if the ship navigation control system were completely accurate, then 
groundings would not occur due to deviations of the actual course from the desired track. But 
even accurate systems will yield an undesirable response if the input is incorrect. As the collo- 
quialism goes “garbage in - garbage out.” For example, a ship proceeding without the correct 
chart reflects an improper input to the control system. Regardless of how accurate the fix, if 
the intended track intersects an unknown hazard to navigation, the accuracy of the control 
system is irrelevant and the reliability of the system becomes limited by the reliability of the in- 
put. 

Dynamic planning incorporates the same planning process , but it is done because some 
unanticipated event (weather, mechanical failure, another ship crossing the bow, etc.) has im- 
posed new constraints upon the voyage. Dynamic planning is inherently a part of navigating 
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and piloting a ship. It often requires a rapid decision, and it is typically a quality of a skillful 
conning officer. 

When the course is properly planned with all available information but still intersects a 
hazard, the fault lies in the information itself (e.g. incorrect charts). The planner has utilized 
the most current information and evaluated the intended tracks properly. But because the most 
current information does not reflect the most current conditions, the intended track intersects a 
grounding hazard.” 

Groundings can and do occur due to inaccurate charts. Nautical charts are prepared 
from the latest available hydrographic surveys. Only a small portion of U.S. waters have been 
surveyed using the most advanced techniques, and 60 percent of the soundings shown on nau- 
tical charts are based on lead-line surveys conducted over 45 years ago [35]. 

For an improperly planned course, the voyage planning process has not been completed 
to success: 


1. The wrong information is used: the correct information is available but is 
not used resulting in the wrong constraints placed upon the planning evaluation. 


2. Insufficient information is used: the planning process is based upon incom- 
plete knowledge of the voyage. 


Actual Course Deviates from a Safe Desired Track 


The ship can be on the wrong course because it has deviated from the desired track. 
Recall from the navigation control model, in Figure 6-1, that deviations, which occur as the 
actual course diverges from the desired track, create error signals which the conning officer 
must recognize. The inaccuracy of the system is reflected when there is either a failure to rec- 
ognize that the ship’s actual position differs from its estimated position, or a difference in ac- 
tual verses desired position results in insufficient action to eliminate the difference. After the 
difference is recognized, there must be an overt action to adjust the ordered course to keep 
the error as close to zero as possible. 

Before proceeding any further it is necessary to review how a difference error is rec- 
ognized. Most ships require a proactive interface between the sensors and the conning officer. 
The conning officer must take the initiative in the process. The proactive process of piloting a 
ship is dead-reckoning. Errors are detected by taking lines of position to fix the ship and com- 
pare the fix to the track. There will always be an error signal when the actual course deviates 
from the desired track. That signal may be masked by instrument error, or electri- 
cal/mechanical failure of navigation systems, but the error still exists and can be checked by 
visual lines of bearing to navaids, or celestial fixes, etc. 


“2 There are other issues involved with planning. For example, presenting the right information to the right 
person at the right time. The passage planner goes to great depth to develop a very detailed plan, which other 
people have to use. If the information is too cumbersome, then it will be ignored, if it is too detailed, then it 
can become irrelevant to a specific situation. This brings up the issue of contingency planning. Clearly, the 
planner cannot forecast every possible contingency. Therefore, this model simplifies the process by assuming 
that 
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The heart of navigation control model then, is the human decision process of determin- 
ing if there is an error, and how much action is required to reduce the error. Given that an er- 
ror exists in the difference between actual course and desired track, that error can either be 
detected or continue to go unrecognized. 

If the difference error is not detected then causality is constrained to the fix or lack 
thereof. Ifthe difference error is recognized, then there must be a determination of why insuf- 
ficient action was taken. 


The Difference Error is Recognized 


The possible actions which result in grounding after recognizing that the actual course 
differs from the desired track are: 


1. Untimely action: the right action is taken but not in time to preclude an ac- 
cident. 


2. Erroneous action: the wrong action is taken. 
It is assumed that all the information is available to the conning officer and the difference error 
is recognized in sufficient time to preclude a grounding. Hence, untimely or incorrect action in 
response to the difference error is either a failure of the conning officer to respond sufficiently 
to the error, or the helmsman to act promptly to the conning officer’s orders. 
The Difference Error is Not Recognized 

If the difference between the actual course and the desired track goes unrecognized, 

then the failure lies solely with the conning officer. Recall that the conning officer must com- 
pare all of the following: 

1. Position Sensors: gyro, compass, lookout, radar errors. 

2. Position Measurements: procedural errors it taking lines-of-position. 


3. Position Estimates: procedural errors in dead-reckoning. 


The breakdown in the loop occurs in the proactive process which must be initiated by the con- 
ning officer. 


Summary of the Course Proceeding down an Unsafe Track 


Figure B-2 summarizes the fault tree for the actual course proceeding down an unsafe 
track. Basically, the faults occur because of either planning errors or piloting errors. 
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Figure B - 2: Fault Tree for Actual Course Proceeding down an Unsafe Track 
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Unable to Follow a Safe Track 


The correct course is known but the ship that is unable to steer that course. In this 
case, the ship is necessarily subjected to a number of parallel factors. All of the following must 
occur: 

1. Lost way: the ship has lost its ability to be effectively controlled 


2. Unsafe wind/current: when the ship has lost way, there must be the neces- 
sary wind/current to force the ship into the grounding situation. 


3. Anchor failure: given that the ship is unable to dynamically control its 
course, the anchor must fail allowing the environment to control the inevitable. 


4. Assistance failure: in addition to the above, there must be a failure of assis- 
tance to prevent the grounding. 


The Ship has Lost Way 


For the ship to have lost way it is no longer able to be controlled. This would imply 
that the ship has lost steering or propulsion. Without getting into the details particular to a 
specific ship, failure of these mechanical systems can be attributed to maintenance, operation, 
or material failure. Additionally, given a material failure, the crew is unable to repair the failure 
before the ship intersects the hazard. 


Unsafe Wind/Current 


For the ship to encounter a grounding given that it has lost way, it must be forced into 
the hazard by the wind/current. Many ships lose way while at sea, yet never encounter an ac- 
cident. It is essential that the environment force the ship into the hazard for the hazard to oc- 
cur. 


Anchor Failure 


Tankers will have two anchors. Anchors on large tankers can weigh as much as 50,000 
pounds each. But as ships have gotten larger, the anchors have not done so proportionately. 
The ratio of the anchor weight to the deadweight tonnage has dwindled from about 0.6 to 0.2 
[7]. The anchors of large tankers are suitable for anchorage in designated areas, but with any 
significant way on the ship when dropping anchor, the momentum becomes too great for the 
anchors to handle. 

As a mechanical system, the anchor system failure is subject to the same causality as the 
propulsion and steering systems; maintenance, operational, and material failure. Additionally, 
consideration should be made for the case when the anchor is not operated at all. Many ves- 
sels have run aground when prudent letting-go of the anchor would have prevented the catas- 
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trophe. There are also times where the environmental conditions preclude effective anchor us- 
age. The ocean bottom either does not lend it self to holding the anchor or the depth gradient 
is too steep. 


Assistance Failure 


Tugs or salvage ships can be essential to preventing a catastrophe. The availability and 
functionality of assist ships is particular to a given port. Implicit failure of assistance occurs if 
it is not requested. Once requested, the failure can occur if the assistance does not arrive, or if 
the assistance is unable to put the ship on a safe track. The inability of the assist ship to put the 
damaged ship on a safe track can be caused by either the assist ship arriving too late, opera- 
tional errors in securing a tow line, or the assist ship 1s too small to prevent the damaged ship 
from grounding. 


Summary of Ship Unable to Follow a Safe Track 


Figure B-3 shows the fault tree for the grounding where the ship is unable to follow a 
safe track. 
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Figure B - 3: Fault Tree For Ship Unable to Follow a Safe Track 


The use of a fault tree to ascertain the areas of risk are essential to an overall risk as- 
sessment. Starting from the hazardous outcome, or top-event, and logically progressing 
downward through sequential levels of causation, the fault tree points to system weaknesses by 
deductively determining the sources. Once this systematic approach has developed all the root 
causes for groundings, the result is a qualitative assessment. 

The fault tree is a way of decomposing the event, not a way of explaining why. As 
such, the grounding fault tree is a logical model representing a qualitative characterization of 
the system. The postulated fault events in the grounding fault tree are not exhaustive. Deduc- 
tively and inductively, they represent the most likely events. 
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Appendix C Selected THERP Tables 


The following tables are excerpts of NUREG1278 [58]. They represent the tables used 
in the grounding analysis. They are supplied to give an illustration of the type of information in 
reference [58] and to show the source used for the analysis. 


Probabilities of Errors of Omission in Use of Written Procedures in Nonpassive Tasks 















0.003 __| 0.001 to 0.01 


Procedures with checkoff provisions (assume zero dependence between written —— 
steps) 


Short list < 10 items 0.0005 to 0.005 
Long list > 10 items 0.003 0.001 to 0.01 


Checkoff provisions improperly used 0.5 


(Consider procedures with improperly used checkoff provisions to be the same 


as procedures with no checkoff provisions.) 
Short list < 10 items 0.003 0.0001 to 0.01 













Procedures with no checkoff provisions 


asnieaaciers 
2 
01 








Probabilities of Error in Preparation of Written Procedures 







PO —“(tisSsSCSsSsk —“(tis*~=s*s‘“‘;‘C;*é‘“;*s*S*SCSC~C~CS~CSC~*sSCziEP | certainty 
}Omittinganitem C—“‘“C;OOCCCC#d: 003 | 0,001 to 0.01 
Writing an item incorrectl 0.003 0.001 to 0.01 
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Checking Operation | HEP | 

Usual monitoring in a nuclear power plant with some kind of checklist or 0.10 0.05 to 0.5 
checking written lists or procedures 

Same as above but without written materials 0.10 to 0.9 
Hands-on type of checking that involves special measurements or other activi- 0.005 to 0.05 
ties 


Probabilities that a Checker will Fail to Detect Errors 
written procedure (includes tasks such as over-the-shoulder checking and 
Special short-term, one-of-a-kind checking (e.g., supervisor checks perform- 0.05 0.01 to 0.10 
ance of a novice 


Probabilities of Errors of Comission in Reading Quantitative Information from Displays 


Reading Task | HEP | Uncertainty | 
Digital indicators Analog meter 
Analog meters with easily seen limit marks 
Analog meters with difficult-to-see limit marks, such as scribe lines 
Analog meters without limit marks 
Analog-type chart recorders with limit marks 
Analog-type chart recorders without limit marks 
Checking the wrong indicator lamp (in an array of lamps 
Misinterpreting the indication on the indicator lamps 


Probabilities of Errors in Recalling Special Instruction Items Given Orally 


Task Uncertaint 


Items not Written Down by Recipient 
Recall any given item, given the following number of items to remember 
0.0005 to 0.005 


0.001 to 0.01 


0.01 to 0.1 
0.05 to 0.5 
Recall any item if supervisor checks to see that the task was done NEGLIGIBLE 
Items Written Down by Recipient 
Recall any item (exclusive of errors in writing) 0.0005 to 0.005 


0.005 to 0.05 
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Appendix D Sensitivity Calculations 


The following MATLAB program is used to determine the sensitivity of the event trees 


% Ptrack = The probability that the desired track is unsafe 

% Pinfo = The probability that the planning information is incorrect 
% Pplan = The probability for implementing a faulty plan 

% Ppilot = The probability of a piloting error 


% The events for passage planning are as follows 
% chk_pub = check publications 

% plt_chg = plot changes 

% det_wpt = determine waypoints 

% lay_trk = lay down track 

% rec_filt = recognize faulty track 

% ver_pln = captain properly verifies plan 


% The events for piloting are as follows 

% err_gen = the probability that a difference error is generated 

% fix_tak = the probability that a fix is taken 

% fix_plt = the probability that a fix is plotted properly 

% fix_ver = the probability that the fix is verified to be correct 

% cov_fix = the probability that the captain verifies the fix to be correct 
% dif_det = the probability that the difference error is detected 

% co_detd = the probability that the captain detects the difference 

% crs_ord = the probability that the correct coarse change is ordered 

% crs_ver = the probability that the coarse change is verified 

% Cov_crs = the probability the captain verifies the coarse change 

% him_res = the probability that the helm responds correctly 

% him_ver = the probability that the helm response is verified 

% cov_him = the probability that the captain verifies the helm response 


% The failure probabilities are as follows: 
nchk_pub = 0.003; 

nplt_chg = 0.001; 

ndet_wpt = 0.003; 

nlay_trk = 0.01; 

nrec_flt = 0.002; 

nver_pln = 0.01; 

Pinfo= 0.0001; 


nerr_gen = 0.00095; 
nfix_tak = 0.001; 
nfix_plt = 0.001; 
nfix_ver = 0.01; 
ncov_fix = 0.01; 
ndif_det = 0.001; 
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nco_detd = 0.001; 
ncrs_ord = 0.003; 
ncrs_ver = 0.01; 
ncov_crs = 0.01; 
nhim_res = 0.0001; 
nhim_ver = 0.01; 
ncov_hlm = 0.01; 


% The success probabilities are 1-Pfailure 


format short e; 

global chk_pub plt_chg det_wpt lay_trk rec_flt ver_pln 

global nchk_pub nplt_chg ndet_wpt nlay_trk nrec_flt nver_pln 

global Pplan 

global err_gen fix_tak fix_plt fix_ver cov_fix dif_det co_detd crs_ord crs_ver 
global cov_crs him_res hlm_ver cov_hlm 

global nerr_gen nfix_tak nfix_plt nfix_ver ncov_fix ndif_det nco_detd ncrs_ord ncrs_ver 
global ncov_crs nhlm_res nhim_ver ncov_him 

global Ppilot 


% check the sensitivity for the events in the planning event tree 
% plan is called as a function 
% plan computes the probability from the event tree 


plan; 
Planinit(:)=[Pplan,Pplan] 


nchk_pub=[0.001;0.01]; 
plan; 

Plan(:,1)=Pplan; 
nchk_pub=0.003; 


nplt_chg=[0.0005;0.005}; 
plan; 

Plan(:,2)=Pplan; 
nplt_chg=0.001; 


ndet_wpt=[0.001;0.01]; 
plan; 

Plan(:,3)=Pplan; 
ndet_wpt=0.003; 


nlay_trk=[0.005;0.05]; 
plan; 

Plan(:,4)=Pplan; 
nlay_trk=0.01; 


nrec_flt=[0.001;0.01]; 
plan; 
Plan(:,5)=Pplan; 
nrec_flt=0.002; 
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nver_pln=[0.005;0.5]; 
plan; 
Plan(:,6)=Pplan; 
nver_pIn=0.01; 


%incorporate the probability of faulty information to determine the 
%sensitivity of the probability for implementing a faulty track 


plan; 
Ptrackinit(:)=[Pplan+Pinfo,Pplan+Pinfo] 


nchk_pub=[0.001;0.01]; 
plan; 

Ptrack(:, 1)=Pplan+Pinfo; 
nchk_pub=0.003; 


nplt_chg=[0.0005;0.005}]; 
plan; 
Ptrack(:,2)=Pplan+Pinfo; 
npit_chg=0.001; 


ndet_wpt=[0.001;0.01]; 
plan; 
Ptrack(:,3)=Pplan+Pinfo; 
ndet_wpt=0.003; 


nlay_trk=[0.005;0.05]; 
plan; 
Ptrack(:,4)=Pplan+Pinfo; 
nlay_trk=0.01; 


nrec_flt=[0.001;0.01); 
plan; 
Ptrack(:,5)=Pplan+Pinfo; 
nrec_flt=0.002; 


nver_pln=[0.005;0.5]; 
plan; 
Ptrack(:,6)=Pplan+Pinfo; 
nver_pIn=0.01; 


Pinfo=[0.00001;0.001]; 
plan; 
Ptrack(:,7)=Pplan+Pinfo; 
Pinfo=0.0001; 


%pilot is called as a function 
“pilot determines the probability from the event tree 


pilot; 
Pilotinit(:) = [Ppilot,Ppilot] 
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nerr_gen = [0.000001;0.001]; 
pilot; 

Pilot(:,1)=Ppilot; 

nerr_gen = 0.00095; 


nfix_tak = [0.0005;0.005]; 
pilot; 

Pilot(:,2)=Ppilot; 
nfix_tak=0.001; 


nfix_plt = [0.0005;0.005]; 
pilot; 

Pilot(:,3)=Ppilot; 
nfix_plt=0.001; 


nfix_ver = [0.005;0.05]; 
pilot; 

Pilot(:,4)=Ppilot; 
nfix_ver=0.01, 


ncov_fix = [0.005;0.05]; 
pilot; 

Pilot(:,5)=Ppilot; 
ncov_fix=0.01; 


ndif_det = [0.0005;0.005], 
pilot; 

Pilot(:,6)=Ppilot; 
ndif_det=0.001; 


nco_detd = [0.0005;0.005]; 
pilot; 

Pilot(:,7)=Ppilot; 
nco_detd=0.001, 


ners_ord = [0.001;0.01]; 
pilot; 

Pilot(:,8)=Ppilot; 
ncrs_ord=0.003; 


ncrs_ver = [0.005;0.05]; 
pilot; 

Pilot(:,9)=Ppilot; 
ncrs_ver=—0.01; 


ncov_crs = [0.005;0.05]; 
pilot; 

Pilot(:,10)=Ppilot; 
ncov_crs=0.01; 


nhim_res = [0.00005;0.0005]; 
pilot; 
Pilot(:,11)=Ppilot; 
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nhlm_res=0.0001; 


nhlm_ver = [0.005;0.05]; 
pilot; 

Pilot(:, 12)=Ppilot; 
nhlm_ver=0.01; 


ncov_him = [0.005;0.05]; 
pilot; 

Pilot(:, 13)=Ppilot; 
ncov_him=0.01; 


%pilot2 determines the probability from the event tree without captain verification 


pilot2; 
Pilotinit(:) = [Ppilot,Ppilot] 


nerr_gen = [0.00000 1;0.001]; 
pilot2; 

Pilot(:,1)=Ppilot; 

nerr_gen = 0.00095; 


nfix_tak = [0.0005;0.005]; 
pilot2; 

Pilot(:,2)=Ppilot; 
nfix_tak=0.001; 


nfix_plt = [0.0005;0.005]; 
pilot2; 

Pilot(:,3)=Ppilot; 
nfix_plt=0.001; 


nfix_ver = [0.005;0.05]; 
pilot2; 

Pilot(:,4)=Ppilot; 
nfix_ver=0.01; 


ncov_fix = [0.005;0.05]; 
pilot2; 

Pilot(:,5)=Ppilot; 
ncov_fix=0.01; 


ndif_det = [0.0005;0.005]; 
pilot2; 

Pilot(:,6)=Ppilot; 
ndif_det=0.001; 


ncrs_ord = [0.001;0.01]; 
pilot2; 

Pilot(:,7)=Ppilot; 
ncrs_ord=0.003; 


ncrs_ver = [0.005;0.05]; 
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pilot2; 
Pilot(:,8)=Ppilot; 
ncrs_ver=0.01; 


ncov_crs = [0.005;0.05]; 
pilot2; 

Pilot(:,9)=Ppilot; 
ncov_crs=0.01; 


nhlm_res = [0.00005;0.0005]; 
pilot2; 

Pilot(:, 10)=Ppilot; 
nhlm_res=0.0001; 


nhlm_ver = [0.005;0.05]; 
pilot2; 

Pilot(:,11)=Ppilot; 
nhim_ver=0.01; 


ncov_hlm = [0.005;0.05]; 
pilot2; 

Pilot(:,12)=Ppilot; 
ncov_hlm=0.01; 


“the results are written to an output file 
diary sense.out; 
Pilotinit 


Pilot' 
diary off, 
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function plan 


chk_pub = 1-nchk_pub; 
plt_chg = I-nplt_chg; 
det_wpt = 1-ndet_wpt; 
lay_trk = I-nlay_trk; 
rec_flt = 1-nrec_fit; 
ver_pln = 1-nver_pln; 


Pplan = chk_pub * plt_chg * det_wpt * nlay_trk * nrec_flt * nver_pln... 
+ chk pub * plt_chg * ndet_wpt * nver_pln... 
+ chk_pub * nplt_chg * det_wpt * lay_trk * nver_pln... 
+ chk_pub * nplt_chg * det_wpt * nlay_trk * rec_flt * nver_pln... 
+ chk pub * nplt_chg * det_wpt * nlay_trk * nrec_flt * nver_pln... 


+ chk_ pub * nplt_chg * ndet_wpt * nver_pln... 
+nchk pub * det_wpt * lay_trk * nver_pln... 
+nchk_pub * det_wpt * nlay_trk * rec_flt * nver_pln... 
+nchk_pub * det_wpt * nlay_trk * nrec_flt * nver_pln... 
+nchk_pub * ndet_wpt * nver_pln; 
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function pilot 


err_gen = ]-nerr_gen; 

fix_tak = 1-nfix_tak; 

fix_plt = 1-nfix_plt; 

fix_ver = 1-nfix_ver; 

cov_fix = 1-ncov_fix; 

dif_det = 1-ndif_det; 

co_detd = 1-nco_detd; 

crs_ord = 1-ncrs_ord; 

crs_ver = l-ncrs_ver; 

cov_crs = 1-ncov_crs; 

hlm_res = 1-nhlm_res; 

hlm_ver = 1-nhlm_ver; 

cov_him = 1-ncov_hlm; 

Pa=err_gen * fix_tak * fix_plt * dif_det * crs_ord * nhim_res * nhim_ver * ncov_hlm... 
+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * crs_ver * nhim_res * nhlm_ver * ncov_hlm... 
+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhlm_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * fix_plt * ndif_det; 


Pb=err_gen * fix_tak * nfix_plt * fix_ver * dif_det * crs_ord* nhlm_res * nhlm_ver * ncov_him... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * crs_ver* nhim_res * nhlm_ver * 
ncov_hlim... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhlm_res * nhlm_ver * 
ncov_hlm... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * nfix_plt * fix_ver * ndif_det; 


Pc=err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * crs_ord * nhlm_res * nhim_ver * 
ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * crs_ver * nhlm_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhlm_res * 
nhim_ver * ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * ndif_det... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * ncov_fix... 

+ err_gen * nfix_tak... 

+ nerr_gen; 


Ppilot = Pa + Pb + Pc; 
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function pilot2 


Pa=err_gen * fix_tak * fix_plt * dif_det * crs_ord * nhim_res * nhlm_ver * ncov_hlm... 

+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * crs_ver * nhim_res * nhlm_ver * ncov_hlm... 
+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhim_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * fix_plt * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * fix_plt * ndif_det; 


Pb=err_gen * fix_tak * nfix_plt * fix_ver * dif_det * crs_ord* | nhim_res * nhim_ver * ncov_him... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * crs_ver* nhlm_res * nhlm_ver * 
ncov_hlim... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhlm_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * nfix_plt * fix_ver * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * nfix_plt * fix_ver * ndif_det; 


Pc=err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * crs_ord * nhlm_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * crs_ver * nhlm_res * nhlm_ver * 
ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * ncrs_ver * cov_crs * nhlm_res * 
nhim_ver * ncov_him... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * dif_det * ncrs_ord * ncrs_ver * ncov_crs... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * cov_fix * ndif_det... 

+ err_gen * fix_tak * nfix_plt * nfix_ver * ncov_fix... 

+ err_gen * nfix_tak... 

+ nerr_gen; 


Ppilot = Pa + Pb + Pc; 
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